Guide
Write a GDPR-compliant privacy notice
How to write and maintain a privacy notice that meets UK GDPR requirements. Covers mandatory content under Articles 13 and 14, a step-by-step writing process, layered notices for complex processing, and common mistakes that lead to enforcement action.
Why you need a privacy notice
A privacy notice (sometimes called a privacy policy) tells people what you do with their personal data. Under UK GDPR, providing this information is a legal requirement, not optional.
You need a privacy notice if you process any personal data. This includes collecting customer names and email addresses, keeping employee records, using CCTV, running a website that uses cookies, or maintaining marketing lists. If you handle information that identifies or could identify a living person, you must tell them how you use it.
You may need more than one privacy notice. For example, a customer-facing notice on your website, a separate notice for employees, and another for job applicants. Each should cover the specific processing relevant to that audience.
Failing to provide adequate privacy information is a breach of the transparency principle, which falls under the higher penalty tier.
What your privacy notice must include
UK GDPR Articles 13 and 14 set out the specific information you must provide. The requirements differ slightly depending on whether you collect data directly from the individual or obtain it from another source.
Your privacy notice must also explain the lawful basis you rely on for each type of processing. You cannot process personal data without a valid lawful basis.
Step by step: writing your privacy notice
Work through these steps to build a privacy notice that covers all mandatory content. You can use the ICO's free privacy notice generator (linked below) as a starting point, but you will still need to tailor it to your specific processing activities.
-
1. Map your data processing activities
Before you can write a privacy notice, you need to know what personal data you collect, why you collect it, what you do with it, and who you share it with. List every type of personal data you hold (customer details, employee records, website analytics, CCTV footage) and the purpose for each.
-
2. Identify the lawful basis for each purpose
For each processing purpose you identified, determine which lawful basis applies. Be specific. For example, you might process customer data to fulfil a contract, employee data under a legal obligation, and marketing data based on consent or legitimate interests. Document your reasoning.
-
3. Draft the notice in plain language
Write your notice using everyday words. Say "we share your data with" not "we disclose personal data to third-party processors". Keep sentences short (aim for 15-20 words). Use active voice. If someone without legal training cannot understand your notice, rewrite it.
-
4. Include all mandatory information
Work through the Article 13 checklist above. For each required item, add a clear section to your notice. Do not skip any item. Be specific about retention periods (say "7 years for financial records" not "as long as necessary") and about data sharing (name organisations or describe categories clearly).
-
5. Add information about individual rights
Explain what rights people have over their data and how they can exercise them. Provide a contact method (email address, online form, or postal address) and state your response timeframe. Under UK GDPR, you must respond to most rights requests within one calendar month.
-
6. State how to complain to the ICO
Include a statement that individuals have the right to lodge a complaint with the Information Commissioner's Office, and provide the ICO contact details: ico.org.uk, 0303 123 1113, or by post to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
-
7. Make the notice accessible
Publish your notice where people can easily find it. For websites, link to it from every page (usually in the footer) and from every data collection form. For employees, provide it as part of onboarding. For customers, include a link at the point of data collection.
-
8. Test and review
Ask someone unfamiliar with your business to read the notice. Can they explain what data you collect, why, and what you do with it? If not, simplify further. Have your notice reviewed against the Article 13 checklist to confirm nothing is missing.
Using a layered approach
If your data processing is complex, a single long notice can overwhelm readers. The ICO recommends a layered approach that gives people key information upfront with the option to read more.
First layer: A short summary at the point of data collection. Include your identity, why you are collecting data, and a link to the full notice. This works well for online forms, sign-up pages, and customer-facing touchpoints.
Second layer: Your complete privacy notice with all mandatory content from Articles 13 and 14. This is the main document linked from the first layer.
Third layer (optional): Detailed supplementary information for specific processing activities, such as a separate cookies policy, a CCTV privacy notice, or a recruitment privacy notice.
Layered notices help you meet the UK GDPR requirement that information be provided in a concise, transparent, intelligible and easily accessible form.
When to update your privacy notice
Your privacy notice must accurately reflect your current processing activities. Review and update it whenever you:
- start collecting new types of personal data
- use existing data for a new purpose
- begin sharing data with new organisations
- change how long you keep data
- adopt new technology that processes personal data
- change your lawful basis for any processing activity
Version control: Date your privacy notice and keep copies of previous versions. If someone queries how their data was handled two years ago, you need to show what your notice said at that time.
Informing people of changes: If you make significant changes to your processing, take reasonable steps to inform individuals. This might mean sending an email to existing customers or displaying a banner on your website highlighting the changes.
Common mistakes to avoid
-
Vague or missing retention periods
Do not say 'we keep data as long as necessary'. The ICO expects specific timeframes for each type of data. For example: '6 years for contract records', '2 years after your last purchase for marketing data', '6 months for recruitment data if unsuccessful'.
-
Generic data sharing statements
Do not say 'we may share your data with partners'. Name specific organisations where possible, or describe categories clearly. For example: 'We share your delivery address with Royal Mail and DPD to fulfil your order'.
-
No lawful basis stated
Each processing purpose must have a stated lawful basis. Do not just say 'we process your data lawfully'. State which of the six lawful bases applies to each specific purpose.
-
Copying another organisation's notice
Your privacy notice must reflect your processing activities, not someone else's. A template can be a useful starting point, but you must customise every section to match what your business actually does.
-
Relying on consent when you mean legitimate interests
If you ask people to tick a box to 'agree' to your privacy notice, that is not consent for processing. Consent must be freely given, specific, informed, and unambiguous. If processing would happen regardless of whether someone ticks a box, consent is not your lawful basis.
-
Forgetting Article 14 for indirect data
If you obtain personal data from a source other than the individual (such as a lead generation company, a publicly available register, or a referral), you must also tell people the source of their data and the categories of data obtained. Provide this within one month.
Penalties for non-compliance
Failing to provide adequate privacy information is a breach of the UK GDPR transparency principle. This falls under the higher penalty tier: up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
In practice, the ICO is more likely to take action where a privacy notice is absent altogether, materially misleading, or where the organisation has ignored previous warnings. A good-faith effort to comply, even if imperfect, significantly reduces enforcement risk.