Does a small care home website need to comply with GDPR?

Yes. If your website collects any personal data — an enquiry form, an email signup, even analytics cookies — UK GDPR applies regardless of how small the home is.

Do I need a cookie banner?

If your site uses non-essential cookies such as analytics or marketing trackers, you need consent before they load — usually a compliant cookie banner. Strictly necessary cookies don't require consent.

Is an enquiry form personal data?

Yes. A name, email, phone number or any details about a prospective resident are personal data and must be collected lawfully, transmitted securely, and stored only as long as needed.

Is Your Care Home Website GDPR Compliant? A Plain-English Checklist

Care providers handle some of the most sensitive personal information there is, so it's no surprise that data protection makes people nervous. The good news: making your website GDPR compliant is mostly common sense once you know what to look for. Here's a plain-English walk through what matters — and a checklist to run against your own site today.

A quick note: this is general guidance, not legal advice. For anything specific to your organisation, check with a data protection professional or the ICO.

First, know what your site actually collects

You can't protect data you haven't accounted for. Most care home websites collect more than the owner realises:

Enquiry and contact forms — names, emails, phone numbers, and often details about a prospective resident's health or circumstances.
Cookies and analytics — tools like Google Analytics set tracking cookies the moment someone lands.
Email signups for newsletters or updates.
Embedded tools — maps, chat widgets, booking systems — many of which quietly send data to third parties.

The checklist

Run your site against these. If you can't tick one, it's worth fixing.

A clear, current privacy policy that says what you collect, why, how long you keep it, and who you share it with.
A compliant cookie banner if you use non-essential cookies — consent before trackers load, not a banner that sets them anyway.
Secure forms over HTTPS with a valid SSL certificate, so data is encrypted in transit.
Lawful basis and consent — forms that explain what happens to the information and don't pre-tick consent boxes.
Data minimisation — only ask for what you genuinely need.
A retention plan — enquiry data shouldn't sit in an inbox forever; decide how long you keep it and stick to it.
Care with third parties — know where embedded tools send data, and make sure your privacy policy covers them.
A route to exercise rights — a clear way for someone to ask what you hold or to have it deleted.

Why it matters beyond the law

Compliance isn't just about avoiding a fine. For a care provider, visibly handling data properly is a trust signal. A family deciding where to place a loved one notices a secure padlock, a clear privacy policy and a form that asks only what it needs. Sloppy data handling sends the opposite message about how you'd treat the person in your care.

Getting this right is part of how we build every care website — secure forms, proper consent and SSL as standard — and our care plans keep it that way with ongoing security and backups. If you're not sure where your site stands, we're happy to take a look.

Is your care home website GDPR compliant? A plain-English checklist

First, know what your site actually collects

The checklist

Why it matters beyond the law

Not sure if your site is compliant?