What UK GDPR Means for Your Website — and What Your Developer Should Be Doing

Since Brexit, the UK operates under UK GDPR — a version of the EU GDPR that applies to any business collecting personal data from UK residents. If your website has a contact form, analytics, email newsletter signup, or any login functionality, UK GDPR applies to you.

This guide explains what it means practically, what your website needs, and what your developer should be implementing.

What Is "Personal Data" on a Website?

• Names and email addresses from contact forms
• IP addresses (collected by analytics tools)
• Login credentials and user accounts
• Purchase history and billing information
• Cookie identifiers used for tracking
• Newsletter subscriber data

If your website collects any of these, you process personal data and UK GDPR applies.

The 6 Key Requirements for Your Website

1. Privacy Policy

Every website must have a privacy policy that clearly explains: what data you collect, why you collect it, how long you keep it, who you share it with, and how users can request deletion of their data. It must be written in plain English — not legal jargon.

Developer responsibility: Ensure every form links to the privacy policy. The privacy policy page must be accessible from the footer of every page.

2. Cookie Consent

You must obtain explicit consent before placing non-essential cookies (analytics, advertising, tracking). A cookie notice that just says "We use cookies" and has only an OK button does not comply. Users must be able to accept or reject different categories of cookies.

Developer responsibility: Implement a compliant consent management platform (CMP). Free options include Cookiebot (limited free tier) or a properly configured GDPR cookie banner plugin for WordPress.

3. Lawful Basis for Data Collection

You must have a valid lawful basis for collecting each type of data. For most small business websites: contact form data is collected under "legitimate interests" or "contract", newsletter data requires explicit "consent", and analytics requires "consent" or "legitimate interests" depending on whether they are privacy-friendly.

4. Data Retention Policy

You cannot keep personal data indefinitely. Define how long you keep contact form submissions (e.g., 24 months), order data (e.g., 7 years for tax purposes), and newsletter subscribers (until unsubscribed + 30 days). Document this in your privacy policy and implement it in practice.

5. Right to Erasure (Right to be Forgotten)

Users can request deletion of their data. Your website needs a clear mechanism for this — typically an email address in the privacy policy. Your developer must ensure data can actually be deleted from your database and any third-party tools (email platform, CRM).

6. Secure Data Transmission

All forms collecting personal data must use HTTPS. Databases containing personal data must be access-controlled. Passwords must be hashed, never stored in plain text. Your developer should already be doing all of these as standard practice.

Google Analytics and UK GDPR

Standard Google Analytics collects IP addresses and uses cookies for tracking — both require consent under UK GDPR. Options:

• Get proper consent: Implement a cookie consent banner that blocks Analytics until consent is given. Google Analytics 4 has a consent mode that adjusts tracking based on consent status.
• Switch to a privacy-friendly alternative: Plausible or Fathom Analytics are UK GDPR compliant by design — no cookies, no IP collection, no consent required.

What Your Sri Lanka Developer Needs to Know

A competent IT partner working on UK business websites should understand UK GDPR requirements and implement them proactively. Ask specifically:

• "Can you implement a compliant cookie consent banner?"
• "Are passwords in the database stored as hashed values?"
• "Does the contact form link to the privacy policy?"
• "How are form submissions stored and for how long?"