GDPR has been law since May 2018. It has now been in force for eight years. And yet, in my experience reviewing websites I've been asked to take over or improve, the majority still have meaningful compliance issues — not because their owners are careless, but because GDPR is genuinely more complex than it appears, and because a lot of the advice circulating online is wrong or incomplete and I want to be honest with you, I am not claiming, that I can give you the whole picture here. I am not a lawyer, and nothing in this post should be taken as legal advice.

What I can offer is the perspective of a web developer who has spent years implementing GDPR-compliant solutions — understanding where technical implementation goes wrong, and what a genuinely compliant site looks like versus one that merely has a cookie banner. Because there is a very significant difference between those two things.

What GDPR governs on a website

The General Data Protection Regulation — implemented in UK law as the UK GDPR following Brexit — governs the collection, storage, processing and transfer of personal data. On a website, this applies to a surprisingly wide range of things:

• Contact forms — any form collecting a name, email, phone number or any information that could identify a person
• Email newsletters and marketing lists — how you collect addresses, what consent you obtained, and how people can unsubscribe and be removed
• Analytics tools — Google Analytics collects significant data about user behaviour that may constitute personal data processing requiring consent
• Embedded third-party content — YouTube videos, Google Maps, social media share buttons set cookies and transfer data to third parties the moment a page loads
• E-commerce and payment processing — customer order data, addresses, payment information
• Live chat tools — many popular widgets capture conversation data on third-party servers
• User accounts and login systems — any system storing user credentials and profile information

Data protection according to GDPR is based on a set of key principles:

• you must have a lawful basis for processing data
• you must be transparent about what you collect and why
• you must store it securely
• you must not keep it longer than necessary
• you must give people the ability to access and delete their data.

The cookie banner problem

Let me be direct: having a cookie banner does not mean you comply with GDPR. This is probably the most widespread misconception I encounter.

A compliant consent mechanism must give users a genuine choice. That means it must be as easy to reject all non-essential cookies as it is to accept them. It must not use dark patterns — pre-ticked boxes, burying the 'reject' option behind multiple clicks, confusing language. And critically, non-essential cookies must not be set until the user has actively consented.

Many cookie banners I see on UK websites fail on all counts. The 'Accept All' button is large and prominent. 'Manage preferences' is buried three clicks deep. And the third-party scripts — Google Analytics, Facebook Pixel, marketing tools — are already running before the user has clicked anything.

The ICO has been increasingly active here. Their guidance is clear: 'Consent must be freely given, specific, informed and unambiguous.' Banners that manipulate users into clicking Accept don't meet that standard.

What a genuinely compliant website looks like

Privacy-respecting analytics

I use Matomo for that — an open-source analytics platform — hosted on my own server infrastructure rather than Google's. Matomo can be configured to collect no personal data at all, meaning it doesn't require cookie consent for basic analytics. It keeps all your data under your control, not stored on a US company's servers in ways that raise additional questions under UK GDPR's data transfer rules.

Proper consent management

A genuine consent management system that blocks all non-essential third-party scripts until the user has explicitly consented — not a banner that appears while everything loads in the background, but a system that actually enforces the choice.

A real privacy policy

A privacy policy that actually describes what your site collects, from where, by whom, for how long, and what users' rights are — not a generic template with your company name substituted in.

Data subject rights implementation

Your website needs a clear mechanism by which users can exercise their rights under UK GDPR: to access their data, correct it, delete it, and object to its processing. In practice this means a clear contact route and documented internal processes for handling requests within the statutory timescales.

Secure data handling

Form submissions and user data must be transmitted over HTTPS, stored securely, and not retained indefinitely. Many contact form plugins store every submission in a database forever — problematic from a data minimisation perspective if no one ever reviews or clears old entries.

The 'I'm just a small business' objection

I hear this regularly. But the ICO's enforcement data tells a different story. Smaller organisations have faced enforcement action and fines for exactly the kinds of issues described above. Beyond enforcement, a data breach — even a small one — can destroy client trust in a way that takes years to rebuild. The cost of getting this right in advance is always lower than dealing with the consequences afterwards.

The ICO also provides a free online accountability framework for small organisations that is genuinely useful and less intimidating than it sounds. It's a good place to start.