Every UK business that collects or uses personal data needs a privacy policy under the UK GDPR and the Data Protection Act 2018. Personal data doesn’t include commercial information, but if your customers are companies, the individuals behind those companies may still be providing you with personal data. This guide explains, in plain English, what to include in a privacy policy and why it matters.

Contents

1. Who you are and how to contact you

Start with clear details about your business so people know who controls their data and how to reach you.

  • Your legal/trading name and registered details.
  • Contact details (email, address, phone).
  • Contact details of your Data Protection Officer or privacy lead, if you have one.
  • A note that individuals can complain to the Information Commissioner’s Office (ICO) if they’re unhappy.

2. What personal data you collect

Explain the types of data you collect. Common examples include:

  • Identity data: name, title, date of birth, gender.
  • Contact data: address, email, phone number.
  • Financial/transaction data: payment details, purchases.
  • Technical data: IP address, browser details, device information.
  • Usage & profile data: how people use your website/services, preferences.
  • Marketing preferences: what updates people have chosen to receive.

If you collect special category (sensitive) data (e.g. health information) or information about criminal offences, say so and explain your additional safeguards. Typically, this would require an Appropriate Policy Document (APD), which you can provide separately on your website if this data is collected through your website, or otherwise when you actually collect this data, like when onboarding a customer through other methods. The compliance burden when collecting special category (sensitive) data can also require a Data Retention Policy and you carrying out a Data Protection Impact Assessment (if processing is likely to result in a high risk to the rights and freedoms of natural persons). For more information on our pricing in these areas, please see our page on Data Protection.

3. How you collect personal data

Be transparent about where data comes from:

  • Directly from individuals (forms, emails, calls, purchases).
  • Automated collection (cookies, analytics, website tracking).
  • Third parties/public sources (service providers, subcontractors, social media, directories).

If you obtain data from elsewhere, identify the source and the categories of data you receive.

4. Why you use personal data (purposes)

State, in plain English, why you use personal data. Typical purposes include:

  • Providing products or services and managing customer relationships.
  • Processing payments and keeping records.
  • Sending marketing communications (with consent, or otherwise because the individual has bought or expressed an interest in similar products or services).
  • Improving your website, products and services.
  • Security, fraud prevention and troubleshooting.

If you later need to use data for a new purpose, you must tell people before you start.

5. Your lawful basis for using data

Every use of personal data must rely on at least one lawful basis under the UK GDPR:

  • Contract – to provide a product or service someone requested.
  • Legal obligation – to comply with the law (e.g. tax and crime prevention).
  • Legitimate interests – a reasonable, expected use that doesn’t override people’s rights (explain the specific interest).
  • Consent – a clear opt-in for a specific purpose (e.g. email marketing).
  • Vital interests – to protect someone’s life (rare).

If you rely on legitimate interests, state what they are (e.g. improving customer service, preventing fraud). If you rely on consent, explain that it’s easy to withdraw.

6. Who you share data with

Be open about who you share data with and why, for example:

  • IT, hosting, payment and marketing service providers (acting on your instructions).
  • Professional advisers (e.g. accountants, insurers, lawyers).
  • Regulators and authorities (e.g. HMRC, ICO) when legally required.
  • Other parties in the event of a sale, merger or restructuring.

Confirm that third parties must keep data secure and only use it as instructed.

7. International data transfers

If personal data leaves the UK (for example, via cloud hosting or overseas tools), say where it goes and which safeguards you use, such as:

  • Transfers to countries with an adequacy decision; or
  • UK International Data Transfer Addendum / Standard Contractual Clauses and other recognised safeguards.

8. How you keep data secure

Outline the steps you take to protect data, such as:

  • Encryption, secure servers and access controls.
  • Staff confidentiality and training.
  • Backups, monitoring and testing.
  • Breach response procedures (including notifying affected people and the ICO where required).

9. How long you keep data

Explain your retention approach in simple terms.

When data is no longer needed, it should be deleted or anonymised. You may want to consider a Data Retention Policy, especially if you collect any special category (sensitive) data.

10. Cookies and online tracking

If you use cookies or similar technologies, say which types you use and why (e.g. necessary, performance/analytics, functionality, advertising), and how users can manage them via their browser. If you have a separate cookie policy, link to it.

11. Marketing and communication preferences

  • Obtain opt-in consent before sending marketing emails or texts.
  • Make unsubscribing simple and immediate.
  • Clarify that opting out of marketing won’t affect essential service communications.

Note: Individuals have a specific right to object to direct marketing at any time.

12. People’s rights under the UK GDPR

Summarise the rights individuals have and how to use them:

  • Access their data (subject access).
  • Correct inaccurate data.
  • Request deletion.
  • Object to processing (including direct marketing).
  • Restrict processing.
  • Data portability.
  • Withdraw consent at any time (where consent is the basis).

Explain how to contact you to exercise these rights and confirm you normally respond within one month. Include the ICO’s details for complaints.

13. Keeping your policy up to date

Review your privacy policy regularly to reflect changes in your business or the law, and show a clear “last updated” date.

Need help creating or updating your privacy policy?

A well-written privacy policy protects your business and shows customers you take data protection seriously. If you’d like a policy that’s legally compliant, tailored to your operations and easy to understand, we can help.

If you’re concerned about your compliance with data protection laws, get in touch or checked out our fixed price options for Data Protection.

This article is for general information only and is not legal advice.

Published by Fergus Thompson