If your business website runs on WordPress, there is a good chance it is collecting personal data right now. Contact forms, cookie tracking, email signups, and analytics tools all fall under UK GDPR. If your site is not set up to handle data correctly, you could be exposed to action from the ICO, regardless of how small your business is.
That does not mean you need to panic. Most of what GDPR requires for a WordPress site is straightforward once you know what to look for. This guide covers the essentials in plain English, so you can check your site is on the right side of UK data protection law.
What Does UK GDPR Mean for Your Website?
The UK General Data Protection Regulation (UK GDPR) came into effect after Brexit and mirrors the EU version closely. It applies to any UK business that collects or processes personal data. For your website, that covers virtually any page with a contact form, a cookie, a newsletter opt-in, or analytics tracking running in the background.
Personal data includes names, email addresses, phone numbers, and IP addresses. Any information that can identify an individual counts. Most standard business websites collect several of these without the site owner realising it. So unless your site is completely static with no forms, no tracking, and no third-party scripts, UK GDPR applies to you.
GDPR and PECR: Two Regulations, Not One
This is a detail many guides skip over. UK businesses must comply with two separate sets of rules: UK GDPR and PECR, the Privacy and Electronic Communications Regulations.
PECR deals specifically with electronic marketing and cookies. UK GDPR requires a lawful basis for processing personal data. PECR goes further and requires explicit, informed consent before you can set non-essential cookies on someone’s device. That includes analytics cookies such as Google Analytics, not just advertising trackers.
This distinction matters because “by using this site you agree to cookies” buried in small print somewhere does not meet the PECR standard. Your cookie banner must give visitors a real choice, and non-essential cookies must be blocked until they actively consent.
What Your WordPress Website Must Have
Here is what UK GDPR compliance looks like in practice for a typical WordPress business site.
1. A Proper Privacy Policy
Your site needs a clear privacy policy explaining what data you collect, why you collect it, how long you keep it, and who you share it with. WordPress has a built-in privacy policy generator under Settings > Privacy that gives you a useful starting point. You will need to customise it to cover your actual setup, including every plugin and third-party service you use.
2. A Cookie Consent Banner That Works
Your cookie banner must give visitors a genuine choice. Non-essential cookies must be blocked until someone actively gives consent. An “accept all” button is fine, but you must also offer a “reject all” or “manage preferences” option alongside it.
Pre-ticked boxes or banners that only inform visitors without offering a real choice do not meet the standard under PECR. A dedicated cookie consent plugin is the most practical way to handle this on most WordPress sites.
3. Opt-In Checkboxes on Forms
If you have a contact form, booking form, or newsletter signup, any marketing consent checkbox must be unchecked by default. Visitors must tick it themselves to give consent. Burying agreement in your terms of service does not count under UK GDPR.
4. Data Processing Agreements with Third Parties
Every plugin or service that processes personal data on your behalf is classed as a “data processor.” You need a Data Processing Agreement (DPA) in place with each one. Most major tools, such as Mailchimp, Google Analytics, and Stripe, provide standard DPAs. You need to formally accept them rather than assume they are automatic. This is usually done through your account settings on each platform.
5. An SSL Certificate
An SSL certificate encrypts data sent through your site. Without one, information submitted via your forms can be intercepted in transit. It is also a baseline expectation from users and search engines alike. If your site still shows “http://” rather than “https://,” fix this before anything else.
6. Controlled Access to Your WordPress Admin
Data protection includes access controls. Staff who do not need admin-level access to your WordPress dashboard should not have it. Review your user list regularly and remove accounts belonging to former employees, past agencies, or developers who no longer work with you.
What the ICO Can Do If You Do Not Comply
The ICO issued 28 monetary penalty notices in 2025, the highest annual total since UK GDPR came into force. Maximum fines can reach £17.5 million or 4% of your total worldwide annual turnover, whichever is higher.
That said, the ICO takes a proportionate approach with small businesses. A first-time failure that you identify and fix quickly is more likely to result in guidance or a warning than an immediate fine. What the ICO does pursue is systemic failure: businesses that know they have compliance gaps and choose not to address them.
Running a WordPress site that has not been updated in months, with plugins known to have vulnerabilities and no privacy policy in place, is a hard position to defend if a data breach occurs and a complaint is made.
Data Breaches and Your Legal Obligations
A data breach on your WordPress site is not just a technical headache. If personal data is exposed, you may have a legal obligation to report it to the ICO within 72 hours of becoming aware of it. Failing to report a reportable breach can be treated as a separate infringement on top of the original incident.
Keeping WordPress, your theme, and all plugins updated reduces this risk considerably. The majority of WordPress vulnerabilities that lead to breaches come from outdated, unpatched plugins. A managed WordPress support service handles those updates for you and monitors your site for unusual activity, so problems are caught before they become breaches.
If your site has already been compromised, our WordPress malware removal service can help you recover quickly, remove injected code, and restore your site to a clean state.
Compliance Is Not a One-Off Task
This is the part most businesses miss. Passing a GDPR review in January does not mean you are still compliant in November. New plugins, new forms, new marketing integrations, and changes to how you work with customers can all introduce new data processing activities that your privacy policy does not yet cover.
Every time you add something to your site that handles personal data, check two things: does your privacy policy reflect it, and do you have a DPA with the new provider? It takes minutes when you are setting things up and far longer to untangle after the fact.
A WordPress care plan covers regular site maintenance, security updates, and backups. Pairing that with periodic reviews of your data processing activities is a sensible approach for most UK small and medium-sized businesses. Our website maintenance services are designed to keep your site secure, up to date, and working properly throughout the year.
Frequently Asked Questions
Does GDPR apply to my WordPress website if I do not sell anything online?
Yes. If your site has a contact form, analytics tracking, or a newsletter signup, you are collecting personal data and UK GDPR applies. The regulation is not limited to e-commerce. Any website that processes information about identifiable individuals is within scope.
Do I need a cookie consent banner on my WordPress site?
Yes. Under PECR, you must get explicit, informed consent before placing non-essential cookies on a visitor’s device. A banner that only informs visitors without offering a genuine accept or reject option does not meet the standard. A dedicated cookie consent plugin is the most practical solution for most WordPress sites.
What counts as a data breach on a WordPress website?
A data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, or disclosure of personal data. Examples include a hacked site that exposed contact form submissions, a plugin vulnerability that leaked customer email addresses, or an admin account taken over by an attacker.
Do I need a Data Processing Agreement with every WordPress plugin I use?
You need one with any plugin or service that processes personal data on your behalf. This covers email marketing tools, analytics platforms, payment processors, and live chat systems. Most reputable services offer a standard DPA. You need to formally accept it, usually through your account settings or service agreement.
Can the ICO fine a small UK business for GDPR non-compliance?
Yes, though the ICO applies a proportionate approach. Small businesses that make genuine efforts to comply and respond quickly to problems are treated more leniently than those that ignore their obligations. If you know there are gaps on your site, addressing them now is always the better approach.
Making a Start
Getting your WordPress site GDPR-compliant does not require a legal team or a large budget. It requires knowing what data you collect, being clear about it in your privacy policy, giving visitors a genuine choice about cookies, and keeping your site maintained and secure.
If you would like support reviewing your WordPress site for data protection gaps, keeping it updated, or recovering from a security incident, our team is here to help. Browse our WordPress support services or get in touch for a free consultation today.
