Guide
Write a privacy notice that meets UK GDPR requirements
How to write a privacy notice that complies with UK GDPR. Covers required content, plain language requirements, when to provide it, and how to use layered notices for complex processing.
A privacy notice (also called a privacy policy) tells people how you collect and use their personal data. Under UK GDPR, you must provide this information clearly and accessibly.
Your privacy notice is not just a legal requirement. It builds trust with customers and employees by being transparent about what you do with their information.
Why you need a privacy notice
You need a privacy notice if you process personal data. This includes customer names, addresses, or contact details, employee records, website visitor data (including cookies), marketing lists, CCTV footage, and any information that identifies or could identify a living person.
Most businesses need at least one privacy notice. You may need separate notices for different audiences (customers, employees, website visitors).
UK GDPR requires you to be transparent about how you process personal data. This is one of the seven key data protection principles:
Transparency means telling people what you do with their data in a way they can understand. A privacy notice is the main way you fulfil this obligation.
Required content
UK GDPR Articles 13 and 14 specify what information you must include. The requirements differ slightly depending on whether you collect data directly from the person or from another source.
If you collect data directly from the person
You must tell them:
- Your identity and contact details
- Business name, registered address, and how to contact you about data protection matters
- DPO contact details (if applicable)
- If you have a Data Protection Officer, provide their contact details
- Purposes of processing
- Why you are collecting their data (be specific, not vague)
- Lawful basis for processing
- Which of the lawful bases applies to each purpose
- Legitimate interests (if applicable)
- If relying on legitimate interests, explain what those interests are
- Recipients or categories of recipients
- Who you share the data with (name specific organisations or describe categories clearly)
- International transfers
- If you transfer data outside the UK, where to and what safeguards apply
- Retention period
- How long you will keep the data (give specific timeframes, not just 'as long as necessary')
- Individual rights
- Their rights regarding their data (access, rectification, erasure, etc.)
- Right to withdraw consent
- If consent is your lawful basis, explain how to withdraw it
- Right to complain to the ICO
- Their right to lodge a complaint with the Information Commissioner's Office
- Automated decision-making
- If you make automated decisions about them (including profiling), explain the logic and consequences
If you get data from another source
When you obtain personal data from a third party (such as a lead generation company or public register), you must also tell people where you got their data from (name the source or type of source) and what categories of data you received.
You must provide this information within a reasonable period (no later than one month), or at the time of first communication if you use the data to contact them.
Lawful basis and individual rights
Your privacy notice must state which lawful basis applies to each type of processing. You cannot process personal data without a valid lawful basis.
Be specific in your notice: Do not just say you rely on 'legitimate interests' without explaining what those interests are. For example: "We process your purchase history for our legitimate interest in improving our product recommendations."
Special category data: If you process health data, religious beliefs, or other special category data, you need both a lawful basis AND an Article 9 condition. Explain both in your privacy notice.
Explaining individual rights
Your privacy notice must explain the rights individuals have over their personal data. Make clear how they can exercise these rights.
Make it actionable: Do not just list the rights. Tell people how to exercise them (email address, online form, postal address). State your response timeframe (one month for most requests).
How to write and present your notice
UK GDPR requires privacy information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Plain language tips
-
Use everyday words
Replace legal jargon with plain English. Say 'we share your data with' not 'we disclose personal data to third-party processors'.
-
Keep sentences short
Aim for 15-20 words per sentence. Break up complex information into bullet points.
-
Use active voice
Say 'we collect your name and email address' not 'personal data is collected by us'.
-
Test with real users
Ask someone unfamiliar with data protection to read your notice. If they cannot explain what you do with their data, rewrite it.
When to provide your notice
Provide privacy information at the time you collect data (before or at the point of collection). Link to your privacy notice on every online form. Make it accessible from every website page (usually in the footer). For data from third parties, provide information within one month or at first communication.
Layered notices
If your data processing is complex, use a layered approach:
- First layer: Key information at the point of collection with a link to full details
- Second layer: Complete privacy notice with all required information
- Third layer: Additional detail for specific activities (e.g., separate cookies policy)
Maintaining your privacy notice
Your privacy notice must reflect your current processing activities. Review and update it when you start collecting new types of data, use data for new purposes, share data with new organisations, change retention periods, implement new technologies, or when the law changes.
Version control: Date your privacy notice and keep previous versions. If someone queries how you handled their data two years ago, you need to show what your notice said at that time.
Common mistakes to avoid
-
Vague retention periods
Do not say 'we keep data as long as necessary'. Give specific timeframes: '7 years for financial records', '2 years after your last purchase'.
-
Unclear data sharing
Do not say 'we may share your data with partners'. Name specific organisations or describe categories clearly.
-
Missing lawful basis
State which lawful basis applies to each processing purpose. Do not just say 'we process your data lawfully'.
-
Copying another company's notice
Your privacy notice must reflect YOUR processing. Generic templates need customising to your specific activities.
Tools and official guidance
The ICO provides a free privacy notice generator to help small organisations create a compliant notice. It asks questions about your processing activities and generates a customised notice. The tool is suitable for straightforward processing. If your data use is complex, you may need professional advice.