Is your website GDPR compliant? A practical checklist
Published February 2026 · By Simon Todd
GDPR has been in effect since 2018, but many websites in Northern Ireland and Ireland still aren't fully compliant. The good news: it's not as complicated as it sounds. Here's a practical checklist of what your website actually needs.
Note: This is practical guidance, not legal advice. If you handle sensitive personal data (healthcare, financial, children's data), consult a data protection specialist. For most small business websites, this checklist covers what you need.
1. Privacy policy
Every website that collects any personal data needs a privacy policy. This includes websites with contact forms, analytics, newsletter signups, or any other data collection.
Your privacy policy should explain: what data you collect, why you collect it, how long you keep it, who you share it with, and how people can request access to or deletion of their data. It should be written in plain English, not legal jargon.
The privacy policy must be accessible from every page—typically linked in the footer.
2. Cookie consent
If your website uses cookies beyond what's strictly necessary for the site to function, you need a cookie consent banner. This includes Google Analytics, Facebook Pixel, marketing cookies, and most third-party scripts.
The banner must give visitors a genuine choice: they should be able to reject non-essential cookies as easily as they accept them. Pre-ticked boxes and "accept or leave" approaches are not compliant.
Strictly necessary cookies (session cookies, security cookies, load balancer cookies) don't require consent, but you should still list them in your cookie policy.
3. Contact forms
Every form that collects personal data should include a link to your privacy policy and explain what you'll do with the information. You don't necessarily need a checkbox (legitimate interest can apply for business enquiries), but you should be transparent about how submissions are handled.
If you're adding someone to a marketing email list, that does require explicit opt-in consent—a separate, unticked checkbox.
4. Analytics and tracking
Google Analytics 4 can be configured to be more privacy-friendly than its predecessor, but it still places cookies and should be covered by your cookie consent mechanism. Consider whether you need analytics at all—if you're not actively using the data, it's unnecessary risk.
If you use Facebook Pixel, LinkedIn Insight Tag, or any other marketing tracking, these definitely require cookie consent before firing.
5. SSL certificate (HTTPS)
While not strictly a GDPR requirement, transmitting personal data over an unencrypted connection (HTTP) is hard to justify as "appropriate technical measures." Every website should use HTTPS. Our hosting includes SSL certificates as standard.
6. Data processing agreements
If you use third-party services that process personal data on your behalf—email marketing providers, CRM systems, analytics tools—you should have a data processing agreement in place with each one. Most major providers (Mailchimp, Google, etc.) have standard DPAs available.
7. UK vs Ireland: any differences?
For businesses in Northern Ireland, GDPR has been incorporated into UK law as the "UK GDPR" alongside the Data Protection Act 2018. The ICO (Information Commissioner's Office) is the regulator.
For businesses in the Republic of Ireland, the EU GDPR applies directly, with the DPC (Data Protection Commission) as the regulator.
In practice, the requirements are almost identical for small business websites. The main difference is which regulator you'd deal with. Cross-border businesses (common in NI) should be aware of both.
Quick compliance checklist
Need help making your website compliant?
Every website we build at SimonTodd includes GDPR compliance as standard—privacy policy templates, cookie consent implementation, secure forms, and SSL. If your existing website needs a compliance review, our website audit service covers GDPR alongside performance and SEO.