Flagged

Checklist · 5 min read · 5 June 2026

GDPR compliance checklist for small business websites (UK & EU 2026)

The quick version

Most small business websites need:

  • ✓ A privacy policy (what data you collect and why)
  • ✓ A cookie policy (what cookies you set and why)
  • ✓ A cookie consent banner (for non-essential cookies)
  • ✓ Terms and conditions (if you sell anything or have user accounts)
  • ✓ A way for users to exercise their rights (email address for requests is fine)

If you use AI tools with customer data, you also need:

  • ✓ An AI disclosure

The full checklist

Privacy Policy

  • Published and linked from your footer
  • Names the data controller (you / your company, with address)
  • Lists what personal data you collect
  • States the lawful basis for each type of processing
  • Names third-party processors (hosting, analytics, payment providers)
  • Covers international transfers (if any processors are outside UK/EEA)
  • States how long you keep data
  • Explains how users can exercise their rights
  • Includes ICO complaint route (UK) or supervisory authority (EU)
  • Has a last updated date

Cookie Policy

  • Published and linked from footer and cookie banner
  • Lists all cookies by category (essential, analytics, marketing)
  • Names third-party cookies (Google Analytics, Meta Pixel etc.)
  • Explains how to withdraw consent
  • States cookie duration

Cookie Banner

  • Appears on first visit
  • Offers genuine accept/reject choice
  • Does not use dark patterns (reject must be as easy as accept)
  • Blocks non-essential cookies until consent is given
  • Allows users to change their preference later

Terms & Conditions

  • Describes your service clearly
  • Covers refund policy
  • States governing law
  • For UK/EU users: includes 14-day cancellation right for digital services
  • Limits your liability appropriately

Data Subject Rights

  • You have a way to receive rights requests (email address published)
  • You can respond within 30 days
  • You know how to handle: access requests, deletion requests, portability requests

AI Tools (if applicable)

  • Privacy policy mentions AI processing
  • AI disclosure published
  • Chatbot users told they're talking to an AI
  • Lawful basis documented for AI processing

How to check your current score

Scan your website with Flagged to see which of these you're missing — free, no account needed, results in 30 seconds.

Scan my website free →

Check your website's compliance score

Free scan — no account needed — results in 30 seconds

Scan now