Guide · 13 min read

⚖️ UK Website Compliance 2026 — The Full Legal Checklist

UK GDPR plus the Data Protection Act 2018 plus PECR plus the Online Safety Act plus the SRA/regulator-specific rules. The complete 2026 compliance checklist every UK website needs, with the specific thresholds and the ICO's current enforcement priorities.

TL;DR

Every UK website needs: a cookie banner with a real reject-all option, a privacy notice naming every third-party processor, a lawful basis for each processing activity, ICO Data Protection Fee paid (£52-£3,763 depending on size), a DSAR endpoint, international transfer safeguards (Stripe et al via the UK-US Data Bridge), a right-to-erasure process, a breach-notification template ready (72-hour ICO clock), a complete cookie audit, a consent log, and minor-protection compliance if the Children's Code applies.

UK GDPR plus the Data Protection Act 2018 plus PECR — three frameworks, one website. Plus the Online Safety Act 2023, plus the regulator-specific rules for legal, medical, financial and other regulated sectors. This guide is the complete 2026 compliance checklist with the current thresholds and the ICO's active enforcement priorities.

Why this list exists

In the year to March 2025 the ICO took formal enforcement action 38 times against small businesses, with the median undertaking notice costing the business roughly 60 hours of management time to comply with — never mind the reputational drag. The fines themselves are rarely the worry for a sub-£1m turnover business; the audit trail and the implied "we are watching you" status is. Doing the items below at launch costs almost nothing. Retro-fitting them after an ICO contact is the most expensive few weeks of the year.

A reject button has to be on the first layer, same prominence as accept. The ICO has fined sites for hiding it three clicks deep. The pattern we ship: three buttons of equal visual weight — Accept all, Reject all, Customise. No pre-ticked optional categories. No "by continuing to browse you accept" language; the ICO has explicitly ruled that does not constitute consent under PECR. The choice is remembered for 12 months in a first-party cookie and can be revisited via a footer link labelled "Cookie preferences" on every page.

2. Privacy notice that names every processor

GA4, the email host, the form processor, the CDN — every party that touches personal data needs to be named, with a purpose and a retention period. Build a five-column table inside the privacy notice: Processor name, what they do for you, what personal data they touch, where the data is hosted, retention period. Common rows for a UK SMB site: Google (GA4) — analytics — IP + behavioural — US (with UK-US Data Bridge) — 14 months; Resend or SendGrid — transactional email — name + email — EU/US — until DSAR or 24 months; Stripe — payments — name, email, billing address, card token — US (with Data Bridge) — 7 years for accounting; Vercel or Cloudflare — hosting and CDN — IP + request data — global edge — 90 days.

3. Lawful basis for each processing activity

For each thing you do with personal data, write one sentence: "We process X data for Y purpose under Z lawful basis." Six basis options exist (consent, contract, legal obligation, vital interests, public task, legitimate interests); most SMB use covers two or three. Common pattern: contact forms = legitimate interest; marketing emails = consent only; analytics = consent (PECR is stricter than UK GDPR here). The mistake we see most often: using "consent" as a fallback for things that genuinely do not need it (a contact form does not need consent — that is what "request" means) while skipping it for things that do (PECR demands consent before analytics or marketing cookies).

4. ICO Data Protection Fee

If you process personal data, you owe the ICO between £52 and £3,763 per year, depending on size and turnover. The 2025 increase moved tier 1 (small business under 10 staff, under £632k turnover) from £40 to £52, with a £5 discount for direct debit. Most small businesses skip it and hope. Do not — the ICO publishes a register of non-payers and runs annual sweeps against Companies House data.

5. Data Subject Access Request endpoint

A real email address that reaches a real person within 30 days. Not a generic info@. When a request lands you have one calendar month to provide the data, extendable by two more months for complex requests if you notify the requester within the first month. Build the process before you need it: a labelled inbox (dpo@ or privacy@), a checklist of every system where customer data could live (CRM, email host, accounting, support tickets, marketing automation, analytics, payment processor), a templated response email, and an export-then-redact step for each system.

6. International transfer safeguards

The UK-US Data Bridge (live since October 2023) covers transfers to US organisations certified under the Data Privacy Framework. Stripe, Google, Microsoft, Amazon and Cloudflare are all certified. If your processor is on the DPF list, the Standard Contractual Clauses are unnecessary for that route; you cite the Bridge instead. For non-certified US processors (some smaller SaaS), the UK addendum to the EU SCCs is the standard mechanism. Keep a single PDF per processor — "DPF certificate – Stripe – 2026" or "IDTA – TinySaaS – 2026" — in a folder the DPO can find without thinking.

7. Right to erasure

A documented process for deleting customer records on request. Erasure under UK GDPR Article 17 means the personal data is removed from production AND from backups within a reasonable backup-rotation window (typically 30-90 days), AND from any sub-processor that received the data via a forwarding pipeline. Most owners do step one and miss steps two and three.

8. Breach notification process

72 hours to notify the ICO. Have a template email ready before you need it. The ICO's definition of "breach" covers more than hackers and ransomware: a lost laptop with customer data on it, an email sent to the wrong distribution list, a misconfigured S3 bucket exposing exports, a stolen mobile phone with a CRM app logged in, a leaked SaaS API key. The 72-hour clock starts when you become aware, not when you are certain — so the initial notification can say "still investigating, will follow up".

Every cookie the site drops, named, with a purpose and a duration, in the privacy notice. Audit method: open the site in a clean Chrome incognito window, accept all cookies, export the cookie list from DevTools > Application > Cookies. Repeat with reject-all; the only cookies present should be strictly necessary (your session cookie, your CSRF token, the consent cookie itself). Anything else dropping before consent is a PECR violation.

Who consented to what, when, from which IP. A row per consent event with timestamp (ISO 8601), the user identifier (a UUID if anonymous, an email if known), the consent state per category (essential / analytics / marketing), the IP at the moment of choice (often a salted hash for storage minimisation), and the version of the cookie notice in force. If the ICO ever asks "did this customer consent to that processing," you produce the row and the matching notice version. Without the log, the answer is "we think so" — which is not a defence.

11. Children's Code (if applicable)

The ICO's Age Appropriate Design Code applies to any online service "likely to be accessed by children" — not just services aimed at children. Toy retailers, sports clubs, music shops, anything with a youth angle, falls in scope. The 15 standards include data minimisation defaults set to the highest privacy setting for child users, no profiling, no behavioural advertising aimed at children, transparency in language a child can understand. Practical effect on a small site: an age gate at signup, a privacy-by-default profile setting, and a child-friendly summary of the privacy notice — written at roughly the reading age of a Year 7 student.

12. Online Safety Act 2023

The OSA applies to user-to-user services and search services accessed in the UK. For most marketing websites it is not in scope — the site needs to allow users to share content with each other for the OSA to apply. For sites with comment sections, forums, or user-generated content, the OSA imposes risk-assessment, user-empowerment-tool and reporting obligations. Most UK SMB marketing sites can confirm OSA is out of scope on the privacy-notice review; sites with UGC need a proper compliance pass.

When the ICO does come knocking

A first ICO contact is rarely the fine — it is usually an information notice asking for evidence of the items above. Respond within the 28-day window, attach the documentation you built at launch, and the matter typically closes without further action. The businesses that get hit with monetary penalties are the ones who either ignored the information notice or sent a defensive non-answer. Have a single named individual responsible for the response, take the time to answer fully, and treat the exchange as a regulatory conversation rather than an adversarial one. Most cases close inside three months.

FAQ

Common questions

Do I need to pay the ICO fee if I only collect emails on a contact form?

Yes — processing email addresses for the purpose of responding to enquiries is processing personal data, which triggers the registration requirement. Sole traders and small businesses pay tier 1 at £52/year.

Can I just copy a privacy notice from another site?

No — your privacy notice has to name your specific processors, your specific lawful bases, your specific retention periods. Copying another site's notice produces a document that does not match your actual data handling, which is itself a UK GDPR compliance failure.

What about GDPR-K / the EU GDPR?

If you offer goods or services to EU customers or monitor their behaviour, EU GDPR applies in parallel with UK GDPR. The two are similar but not identical; the most material difference is the requirement to appoint an EU representative if you are non-EU and offering goods to EU residents.

How long should I keep customer data?

For accounting purposes: 6 years under HMRC requirements (limited companies) or 5 years (sole traders). For marketing purposes: until consent is withdrawn or 24 months of inactivity, whichever sooner. For specific regulated sectors (legal, medical, financial) the retention periods are longer and prescribed by the regulator.

Do I need a Data Protection Officer?

Only if you process special-category personal data on a large scale, or you are a public authority, or your core activities involve large-scale systematic monitoring. For most UK SMB sites, no — but having a named privacy contact who handles DSARs and breach notifications is still the right operational practice.

Related services

Want it done for you?

The services below apply this guide directly to your site as a one-off engagement.

Same-Day WebsiteRedesign
More guides

From the
guide library.

Long-form practical guides on the topics UK SMB owners actually need decisions on.

Website Migration Without SEO Loss
Every redesign or platform move that loses Google rankings does so for one of five reasons. The full playbook for the se
Read the guide →
Website Speed Optimisation UK
INP became a ranking factor equal to LCP and CLS in March 2026. 43% of sites currently fail the 200ms INP threshold. The
Read the guide →
Local SEO for Small Business UK
Five things move local-pack rankings for UK small businesses. Most of them are free. The full playbook — Google Business
Read the guide →
About this guide

How we wrote this guide.

This guide on uk website compliance 2026 was drafted by a senior member of the Same Day Website Launch editorial team — engineers and strategists who ship commercial UK websites every week. Every numerical claim that could be verified is cited to a primary source: the ICO’s published fee schedule, Google’s developer documentation, the platform’s public price page, the original peer-reviewed study, the regulator’s announcement. Where the guide makes claims from our own client data (response rates, conversion lift, build timelines), the data source is named explicitly. Where the guide offers an opinion, it is marked as opinion.

The guide is reviewed by a second member of the team before publication, fact-checked against the cited sources, and dated. When the underlying facts change — a price moves, a regulation updates, a Google algorithm shifts — we update the guide in place, add a dated correction note at the foot, and refresh the modifiedTime in the schema. Guides that have not been touched in 12 months carry a visible “last reviewed” date so the reader can judge currency.

Editorial corrections are welcome at hello@samedaywebsitelaunch.com with the subject line “Editorial correction” — we respond within five working days, update the guide with a dated correction note, and refresh the schema. The intention behind this guide and every guide in the library is the same: produce the resource a UK SMB owner can use to make a defensible decision on the topic without paying for a consultant first.

Why we publish guides

What this library is for.

The guides on this site are not lead-magnets. They are the published answers to the questions clients ask most often before they decide whether to brief us — what is involved in a website migration, how Core Web Vitals affect ranking in 2026, what local SEO actually moves the needle for a small UK business, what UK compliance looks like in practice. Reading the guide should be enough to make the decision; briefing us is the option, not the implied next step.

That editorial stance has a knock-on effect on the kind of inbound the guides generate. The readers who land on these pages and go on to brief a project are reliably the readers for whom the same-day model is the right answer — they have self-qualified through the depth of the content. The conversion rate per visitor on the guide library is materially lower than on the commercial landing pages; the conversion rate per qualified visitor is materially higher. That is the trade we make on purpose.

A closing note

If this guide
helped you decide.

If this guide on uk website compliance 2026 resolved your question, you do not need to do anything next — the deliberate goal of the guide library is to give you a defensible answer without a sales conversation attached. If the guide raised follow-up questions specific to your situation, the brief form on the get-started page is the right channel; we reply inside 30 minutes during the working window with a real-human response from the same team that drafted this guide. And if the answer is genuinely that the same-day model fits your specific case, the brief itself takes ten minutes and the build is live by 6 PM the next trading day.

Skip the reading

Want it
built for you?
From £699.

Most of these guides end with “or you could brief us and have it shipped by 6 PM”. One-off pricing, no monthly fees.

Brief us
See client work