Legal

The 11-point GDPR checklist every UK launch must pass

6 min readSame Day Website Launch

Cookie banner, privacy notice, data-handling, ICO registration, sub-processor list. None of it is optional any more.

UK GDPR plus the Data Protection Act 2018 plus PECR — three frameworks, one site. We run every launch through this 11-point list before we hand over. Most of the items take ten minutes; getting them wrong takes years, because once the ICO opens a file the corrective measures and the audit trail run alongside the trading business in perpetuity.

Why this list exists

In the year to March 2025 the ICO took formal enforcement action 38 times against small businesses, with the median undertaking notice costing the business roughly 60 hours of management time to comply with — never mind the reputational drag. The fines themselves are rarely the worry for a sub-£1m turnover business; the audit trail and the implied "we are watching you" status is. Doing the eleven things below at launch costs almost nothing. Retro-fitting them after an ICO contact is the most expensive few weeks of the year.

A reject button has to be on the first layer, same prominence as accept. The ICO has fined sites for hiding it three clicks deep.

The pattern we ship

Our default banner has three buttons of equal visual weight: Accept all, Reject all, Customise. No pre-ticked optional categories. No "by continuing to browse you accept" language — the ICO has explicitly ruled that does not constitute consent under PECR. The choice is remembered for 12 months in a first-party cookie and can be revisited via a footer link labelled "Cookie preferences" on every page. A surprising number of WordPress sites we audit ship the default OneTrust template with Reject buried inside Customise — that pattern is exactly what the ICO's 2023-2024 sweep targeted.

2. Privacy notice that names every processor

GA4, the email host, the form processor, the CDN — every party that touches personal data needs to be named, with a purpose and a retention period.

The minimum table

Build a five-column table inside the privacy notice: Processor name, what they do for you, what personal data they touch, where the data is hosted, retention period. Common rows for a UK SMB site: Google (GA4) — analytics — IP + behavioural — US (with SCCs) — 14 months; Resend or SendGrid — transactional email — name + email — EU/US — until DSAR or 24 months; Stripe — payments — name, email, billing address, card token — US (with SCCs) — 7 years for accounting; Vercel or Cloudflare — hosting and CDN — IP + request data — global edge — 90 days. Update the table whenever you change a tool. Most legal teams add a six-monthly review reminder.

3. Lawful basis for each processing activity

Contact forms = legitimate interest or consent. Marketing emails = consent only. Analytics = consent (PECR is stricter than UK GDPR here).

How to write the lawful basis cleanly

For each thing you do with personal data, write one sentence: "We process X data for Y purpose under Z lawful basis." Example: "We process your name and email submitted via the contact form for the purpose of responding to your enquiry, under the lawful basis of legitimate interest (responding to a customer-initiated contact)." Six basis options exist (consent, contract, legal obligation, vital interests, public task, legitimate interests); most SMB use covers two or three. The mistake we see most often: using "consent" as a fallback for things that genuinely do not need it (a contact form does not need consent — that is what "request" means) while skipping it for things that do (PECR demands consent before analytics or marketing cookies).

4. ICO registration

If you process personal data, you owe the ICO between £52 and £3,763 per year, depending on size and turnover. The 2025 increase moved tier 1 (small business) from £40 to £52, with a £5 discount for direct debit. Most small businesses skip it and hope. Don't — the ICO publishes a register of non-payers and runs annual sweeps against Companies House data.

5. Data Subject Access Request endpoint

A real email address that reaches a real person within 30 days. Not a generic info@.

The DSAR workflow

When a request lands you have one calendar month to provide the data, extendable by two more months for complex requests if you notify the requester within the first month. Build the process before you need it: a labelled inbox (dpo@ or privacy@), a checklist of every system where customer data could live (CRM, email host, accounting, support tickets, marketing automation, analytics, payment processor), a templated response email, and an export-then-redact step for each system. The ICO's guidance is generous on format — you can return PDFs of natural exports — but firm on the 30-day clock. Sole traders are not exempt.

6. International transfer safeguards

Using Stripe? Mailchimp? US-based hosts? You need a Standard Contractual Clauses pack on file.

The transfer-risk reality post-2025

The UK-US Data Bridge (live since October 2023) covers transfers to US organisations certified under the Data Privacy Framework. Stripe, Google, Microsoft, Amazon and Cloudflare are all certified. If your processor is on the DPF list, the SCCs are unnecessary for that route; you cite the Bridge instead. For non-certified US processors (some smaller SaaS), the UK addendum to the EU SCCs is the standard mechanism. Keep a single PDF per processor, named "DPF certificate – Stripe – 2026" or "IDTA – TinySaaS – 2026", in a folder the DPO can find without thinking.

7. Right to erasure

A documented process for deleting customer records on request. Most CRMs have a one-click button — make sure it's wired.

What "deleted" actually means

Erasure under UK GDPR Article 17 means the personal data is removed from production AND from backups within a reasonable backup-rotation window (typically 30-90 days), AND from any sub-processor that received the data via a forwarding pipeline (your CRM's connected email service, the analytics pixel that fired on the customer's sessions, the support tool the conversation lived in). Most owners do step one and miss steps two and three. Document the full pipeline once, and the documentation tells you what to delete every time.

8. Breach notification process

72 hours to notify the ICO. Have a template email ready before you need it.

What a "breach" actually is

Not just hackers and ransomware. The ICO's definition covers: a lost laptop with customer data on it, an email sent to the wrong distribution list, a misconfigured S3 bucket exposing exports, a stolen mobile phone with a CRM app logged in, a leaked SaaS API key that allowed read access to records, even a hard drive that crashed and was thrown away without secure wipe. The 72-hour clock starts when you become aware, not when you are certain — so the initial notification can say "still investigating, will follow up." Severity threshold for notification: if it is likely to result in a risk to rights and freedoms of the data subjects, notify. For most SMB breaches involving names and contact data, the answer is yes.

Every cookie the site drops, named, with a purpose and a duration, in the privacy notice.

How we audit

Open the site in a clean Chrome incognito window, accept all cookies, then export the cookie list from DevTools > Application > Cookies. Repeat with reject-all; the only cookies present should be strictly necessary (your session cookie, your CSRF token, the consent cookie itself). Anything else dropping before consent is a PECR violation. Cross-reference against the Privacy Notice table. The two things owners forget: Google's SameSite=None cookies dropped by embedded YouTube videos, and the Stripe SetupIntent cookies dropped by a checkout that loads early on the page.

Who consented to what, when, from which IP. Most consent management platforms include this — turn it on.

What good evidence looks like

A row per consent event: timestamp (ISO 8601), the user identifier (a UUID if anonymous, an email if known), the consent state (granted / denied) for each category (essential / analytics / marketing), the IP at the moment of choice (often a salted hash for storage minimisation), and the version of the cookie notice in force at that moment. If the ICO ever asks "did this customer consent to that processing," you produce the row and the matching notice version. Without the log, the answer is "we think so" — which is not a defence.

11. Minor protections

If anyone under 13 might use the site, parental consent flow plus age gate. Most B2B sites can skip; B2C with any youth angle cannot.

Beyond the basics — the Children's Code

The ICO's Age Appropriate Design Code applies to any online service "likely to be accessed by children" — not just services aimed at children. Toy retailers, sports clubs, music shops, anything with a youth angle, falls in scope. The 15 standards include data minimisation defaults set to the highest privacy setting for child users, no profiling, no behavioural advertising aimed at children, transparency in language a child can understand, and impact assessments for any feature that processes children's data. Practical effect on a small site: an age gate at signup, a privacy-by-default profile setting, and a child-friendly summary of the privacy notice — written at roughly the reading age of a Year 7 student.

When the Information Commissioner does come knocking

A first ICO contact is rarely the fine — it is usually an information notice asking for evidence of the eleven items above. Respond within the 28-day window, attach the documentation you built at launch, and the matter typically closes without further action. The businesses that get hit with monetary penalties are the ones who either ignored the information notice or sent a defensive non-answer. Have a single named individual responsible for the response, take the time to answer fully, and treat the exchange as a regulatory conversation rather than an adversarial one. The ICO's small-business team is generally pragmatic; they understand that a four-person firm does not have a dedicated DPO, and they respond well to honest engagement. Most cases close inside three months without any further obligation beyond confirming the gaps have been closed.

Keep reading

More from the
workshop

Three more practical guides on shipping fast UK websites — costs, conversion, and the SEO mechanics behind every same-day launch.

Why we switched £600 of Wix subscriptions for one £499 same-day site
A Bermondsey restaurateur did the maths on year-three Wix renewals vs a one-off custom site. The numbers were not close.
Read article →
How we hit Core Web Vitals on every same-day launch
A practical playbook: image budgets, font subsetting, JS gating, and why we ship 0kb of analytics in the first 100 KB.
Read article →
Local SEO for 80 UK cities: what actually moves the needle
Postcode schema, Google Business Profile primer, regional citations, and why we don't bother with directory spam.
Read article →
Skip the reading

Want it
built for you?
Today.

Most of these articles end with “or you could just brief us and have it shipped by 6 PM”. From £699 one-off.

Brief us
Browse services
📚
6
In-depth posts
🚀
5k+
UK businesses launched
8–24h
Average build time
98%
Client satisfaction