Write a privacy notice that meets UK GDPR requirements

How to write a privacy notice that complies with UK GDPR. Covers required content, plain language requirements, when to provide it, and how to use layered notices for complex processing.

UK-wide
Guide summary

You must write a privacy notice explaining how you collect and use personal data. It must be clear and easy to understand. Include details like why you need the data, who you share it with, and how long you keep it. You must provide this notice when you collect data directly or within one month if you get it from another source.

  • Tell people what you do with their data in simple language
  • Include your business name and contact details
  • Explain why you need the data and your lawful basis
  • State who you share data with and if it goes outside the UK
  • Say how long you keep the data
  • Explain people's rights like access and erasure
  • Provide notice within one month if data comes from another source
  • Use layered notices for complex information
  • Update your notice if your data use changes
  • Failure to comply can lead to fines from the ICO
On this page
UK-wide

Related guides in Compliance & Legal

A privacy notice (also called a privacy policy) tells people how you collect and use their personal data. Under UK GDPR, you must provide this information clearly and accessibly.

Your privacy notice is not just a legal requirement. It builds trust with customers and employees by being transparent about what you do with their information.

Why you need a privacy notice

You need a privacy notice if you process personal data. This includes customer names, addresses, or contact details, employee records, website visitor data (including cookies), marketing lists, CCTV footage, and any information that identifies or could identify a living person.

Most businesses need at least one privacy notice. You may need separate notices for different audiences (customers, employees, website visitors).

UK GDPR requires you to be transparent about how you process personal data. This is one of the seven key data protection principles:

Transparency means telling people what you do with their data in a way they can understand. A privacy notice is the main way you fulfil this obligation.

Required content

UK GDPR Articles 13 and 14 specify what information you must include. The requirements differ slightly depending on whether you collect data directly from the person or from another source.

If you collect data directly from the person

You must tell them:

Your identity and contact details
Business name, registered address, and how to contact you about data protection matters
DPO contact details (if applicable)
If you have a Data Protection Officer, provide their contact details
Purposes of processing
Why you are collecting their data (be specific, not vague)
Lawful basis for processing
Which of the lawful bases applies to each purpose
Legitimate interests (if applicable)
If relying on legitimate interests, explain what those interests are
Recipients or categories of recipients
Who you share the data with (name specific organisations or describe categories clearly)
International transfers
If you transfer data outside the UK, where to and what safeguards apply
Retention period
How long you will keep the data (give specific timeframes, not just 'as long as necessary')
Individual rights
Their rights regarding their data (access, rectification, erasure, etc.)
Right to withdraw consent
If consent is your lawful basis, explain how to withdraw it
Right to complain to the ICO
Their right to lodge a complaint with the Information Commissioner's Office
Automated decision-making
If you make automated decisions about them (including profiling), explain the logic and consequences

If you get data from another source

When you obtain personal data from a third party (such as a lead generation company or public register), you must also tell people where you got their data from (name the source or type of source) and what categories of data you received.

You must provide this information within a reasonable period (no later than one month), or at the time of first communication if you use the data to contact them.

Lawful basis and individual rights

Your privacy notice must state which lawful basis applies to each type of processing. You cannot process personal data without a valid lawful basis.

Be specific in your notice: Do not just say you rely on 'legitimate interests' without explaining what those interests are. For example: "We process your purchase history for our legitimate interest in improving our product recommendations."

Special category data: If you process health data, religious beliefs, or other special category data, you need both a lawful basis AND an Article 9 condition. Explain both in your privacy notice.

Explaining individual rights

Your privacy notice must explain the rights individuals have over their personal data. Make clear how they can exercise these rights.

Make it actionable: Do not just list the rights. Tell people how to exercise them (email address, online form, postal address). State your response timeframe (one month for most requests).

How to write and present your notice

UK GDPR requires privacy information to be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Plain language tips

  1. 1

    Use everyday words

    Replace legal jargon with plain English. Say 'we share your data with' not 'we disclose personal data to third-party processors'.

  2. 2

    Keep sentences short

    Aim for 15-20 words per sentence. Break up complex information into bullet points.

  3. 3

    Use active voice

    Say 'we collect your name and email address' not 'personal data is collected by us'.

  4. 4

    Test with real users

    Ask someone unfamiliar with data protection to read your notice. If they cannot explain what you do with their data, rewrite it.

When to provide your notice

Provide privacy information at the time you collect data (before or at the point of collection). Link to your privacy notice on every online form. Make it accessible from every website page (usually in the footer). For data from third parties, provide information within one month or at first communication.

Layered notices

If your data processing is complex, use a layered approach:

  • First layer: Key information at the point of collection with a link to full details
  • Second layer: Complete privacy notice with all required information
  • Third layer: Additional detail for specific activities (e.g., separate cookies policy)

Maintaining your privacy notice

Your privacy notice must reflect your current processing activities. Review and update it when you start collecting new types of data, use data for new purposes, share data with new organisations, change retention periods, implement new technologies, or when the law changes.

Version control: Date your privacy notice and keep previous versions. If someone queries how you handled their data two years ago, you need to show what your notice said at that time.

Common mistakes to avoid

  1. 1

    Vague retention periods

    Do not say 'we keep data as long as necessary'. Give specific timeframes: '7 years for financial records', '2 years after your last purchase'.

  2. 2

    Unclear data sharing

    Do not say 'we may share your data with partners'. Name specific organisations or describe categories clearly.

  3. 3

    Missing lawful basis

    State which lawful basis applies to each processing purpose. Do not just say 'we process your data lawfully'.

  4. 4

    Copying another company's notice

    Your privacy notice must reflect YOUR processing. Generic templates need customising to your specific activities.

Tools and official guidance

The ICO provides a free privacy notice generator to help small organisations create a compliant notice. It asks questions about your processing activities and generates a customised notice. The tool is suitable for straightforward processing. If your data use is complex, you may need professional advice.

Official guidance