NullShield

Get started
← Back to Blog
·6 min read

Is Your Website GDPR Compliant? 7 Things to Check

A practical guide to GDPR website compliance covering cookies, analytics consent, privacy policies, and data handling for UK businesses.

The UK GDPR and the Data Protection Act 2018 apply to every organisation that collects, stores, or processes personal data of UK residents. Your website is almost certainly doing this — through contact forms, analytics, cookies, newsletter sign-ups, or user accounts. Fines for non-compliance can reach £17.5 million or 4% of global turnover, but even without enforcement action, a non-compliant website erodes customer trust.

Here are seven things you should check right now. Most take less than an hour to fix.

1. Cookie Consent Banner

Under PECR (Privacy and Electronic Communications Regulations) and UK GDPR, you must obtain informed consent before setting non-essential cookies. This means:

  • No cookies should be set before the user makes a choice — not even analytics cookies.
  • The banner must offer a genuine choice: "Accept" and "Reject" buttons must be equally prominent. No dark patterns.
  • Users must be able to withdraw consent as easily as they gave it.
  • Essential cookies (session management, security) do not require consent but should be disclosed.

NullShield scans detect cookies set before consent and flag third-party tracking scripts that load without user permission. Run a free scan to check your cookie behaviour.

2. Analytics Consent

Google Analytics, Meta Pixel, hotjar, and similar tools collect personal data (IP addresses, device fingerprints, browsing behaviour). Under UK GDPR, these require explicit opt-in consent. Loading these scripts before consent is a violation.

  • Use Google Consent Mode v2 or equivalent to defer analytics until consent is given.
  • Consider privacy-first alternatives like Plausible or Fathom that do not use cookies and can operate without consent banners.
  • Document your lawful basis for processing analytics data in your privacy policy.

3. Privacy Policy

Every website that collects personal data must have a clear, accessible privacy policy. It must include:

  • Who you are — Your organisation name, address, and contact details. If you have a Data Protection Officer (DPO), their contact information.
  • What data you collect — Be specific. "Personal information" is not sufficient. List form fields, cookies, analytics data, IP addresses, etc.
  • Why you collect it — State your lawful basis for each type of processing (consent, legitimate interest, contractual necessity, etc.).
  • How long you keep it — Define retention periods for each data type.
  • Who you share it with — List all third-party processors (payment providers, analytics, email services, hosting).
  • Data subject rights — Explain how users can access, correct, delete, or export their data.

4. Contact Forms and Data Collection

Every form that collects personal data should:

  • Only ask for data you genuinely need (data minimisation principle).
  • Include a link to your privacy policy at the point of collection.
  • Use separate, unticked checkboxes for marketing consent — never pre-ticked.
  • Transmit data over HTTPS. NullShield checks your TLS configuration to ensure data in transit is encrypted.

5. Data Storage and Security

GDPR Article 32 requires "appropriate technical and organisational measures" to protect personal data. For websites, this means:

  • Encrypt data at rest and in transit (AES-256 and TLS 1.2/1.3 minimum).
  • Implement access controls — not everyone in your organisation needs access to customer data.
  • Use strong security headers to protect against XSS, clickjacking, and data exfiltration.
  • Regularly test your security. This is where automated scanning becomes essential.

6. Third-Party Services and Data Transfers

If you use services that process data outside the UK (most cloud services), you need:

  • A lawful transfer mechanism — UK adequacy decisions, UK International Data Transfer Agreements (IDTAs), or Standard Contractual Clauses (SCCs).
  • Data Processing Agreements (DPAs) with every third-party processor.
  • Disclosure in your privacy policy of all international transfers and the safeguards in place.

Review all scripts loaded on your website. Each one may be a data processor. NullShield's technology fingerprinting identifies third-party scripts and services running on your site.

7. Data Breach Response Plan

Under UK GDPR, you must report certain data breaches to the ICO within 72 hours. You need:

  • A documented incident response procedure — who to contact, what to log, how to contain the breach.
  • Contact details for the ICO breach reporting service.
  • A template for notifying affected individuals if the breach poses a high risk to their rights.
  • Regular security scanning to detect breaches early. Many breaches go undetected for months. Automated monitoring with NullShield helps you catch configuration changes and new vulnerabilities before they lead to a breach.

Next Steps

GDPR compliance is not a one-time project. Your website changes, new third-party scripts get added, team members update forms, and regulations evolve. Build compliance into your regular workflow:

  • Audit your cookie consent implementation quarterly.
  • Review your privacy policy whenever you add a new service or data collection point.
  • Run automated security scans monthly to catch regressions.
  • Consider Cyber Essentials certification as evidence of your security posture.

Check your website's security and compliance

NullShield scans for cookie issues, missing headers, TLS problems, and exposed data — all things that affect GDPR compliance.

Scan My Website Free →

No credit card required

Related articles

The Complete Website Security Checklist for UK SMEs (2026)

Headers, TLS, DMARC, cookies, and exposed paths in one checklist.

Cyber Essentials Certification: What UK Businesses Need to Know

Understand the certification, who needs it, and how to prepare.