Company Privacy Policy In The UK: What To Include

If your business collects any personal information - from website visitors, customers, employees or suppliers - you need a clear, compliant company privacy policy. It’s not just a box‑ticking exercise. The right policy helps you meet your legal duties, build trust and avoid costly mistakes.

In this guide, we’ll walk you through when you need a privacy policy, what it must cover under UK law, and a simple, step‑by‑step process to create and maintain one that actually works for your business.

What Is A Company Privacy Policy (And Why It Matters)?

A company privacy policy (often called a privacy notice) is a public statement that explains how your business collects, uses, discloses and protects personal data. It should be easy to find (for example, linked in your website footer), written in plain English and tailored to your real‑world data practices.

Under the UK GDPR and the Data Protection Act 2018, you must provide people with transparent information about your processing of their personal data. A well‑crafted privacy policy is the main way you deliver that transparency.

Getting this right matters because:

• It’s a legal requirement to inform people how you use their data, including your lawful basis, retention periods and rights.
• It reduces risk - unclear or inaccurate notices are a common cause of complaints and enforcement by the ICO.
• It builds trust with customers and partners, which can increase conversions and reduce friction in sales or procurement processes.
• It creates an internal reference point so your team handles data consistently and lawfully.

If you don’t have one yet (or you’re using a generic template), it’s worth getting a tailored Privacy Policy that reflects how your company actually operates.

When Do UK Businesses Need A Privacy Policy?

In practice, almost all UK businesses should have a company privacy policy. You’ll need one if you do any of the following:

• Run a website or app that collects personal data (e.g. contact forms, newsletter sign‑ups, analytics cookies).
• Sell products or services to consumers or businesses and store customer details (names, emails, addresses, payment references, support tickets).
• Market by email, SMS or phone (these activities are governed by PECR as well as UK GDPR).
• Use third‑party tools that process personal data on your behalf (e.g. CRM, email marketing, analytics, live chat, HR or payroll platforms).
• Employ people or work with contractors and collect HR‑related information.

Even if your business is small, the transparency obligations still apply. The depth of detail can be proportionate to your activities, but the core disclosures are mandatory wherever you process personal data.

Also note the difference between a customer‑facing privacy policy and internal documentation. Your privacy policy explains information to individuals, while your Record of Processing Activities, DPIAs, security policies and contracts with processors are internal compliance documents. Both sides matter.

What Should Your Company Privacy Policy Include?

The UK GDPR sets out specific information you must provide to individuals. In plain English, a robust company privacy policy typically covers the following:

1) Who You Are And How To Contact You

• Your legal entity name, registered address and contact details for privacy queries.
• Whether you are the “controller” and, if relevant, your UK‑based representative (for overseas businesses targeting the UK).

2) What Data You Collect

• Categories of personal data (e.g. identity, contact, usage, marketing preferences, payment references - not full card numbers if handled by a payment processor).
• Special category data (e.g. health) if applicable, and on what basis you process it.

3) How You Collect It

• Direct interactions (forms, checkout, support, events).
• Automated technologies (cookies, SDKs, analytics).
• Third‑party sources (marketing partners, public sources).

4) Why You Use It (Purposes) And Your Lawful Basis

For each processing purpose, state the lawful basis you rely on (e.g. contract, legal obligation, legitimate interests, consent). Be specific and consistent with your internal practices.

5) Who You Share It With

• Third‑party service providers (processors) such as cloud hosting, email platforms, analytics, payment services and logistics providers.
• Independent controllers, where relevant, and why you share data with them.

6) International Data Transfers

If you transfer personal data outside the UK (for example, using a US‑based SaaS tool), explain where data goes and the safeguards used (UK adequacy regulations, the ICO’s IDTA, or the UK Addendum to EU SCCs). Keep this section accurate - it’s a common gap.

7) Data Retention Periods

Explain how long you keep personal data and the criteria used to determine retention. This should align with your internal retention schedule and legal requirements. For more detail on setting realistic timelines, see guidance on data retention.

8) Your Security Measures (High Level)

Provide a concise overview of technical and organisational measures (encryption in transit, access controls, staff training, vendor due diligence) without revealing sensitive security details.

9) Individual Rights

Explain how people can exercise their UK GDPR rights (access, rectification, erasure, restriction, portability, objection, and rights related to automated decision‑making). Include the response timeframe and contact route.

10) Marketing Preferences And Cookies

Explain how you use personal data for direct marketing, the role of consent and soft opt‑in under PECR, and how people can opt out. Summarise your use of cookies and link to a separate, detailed Cookie Policy.

11) Complaints

Set out how to contact you with concerns and refer to the Information Commissioner’s Office (ICO) with a link and postal address.

12) Updates To The Policy

State how you’ll notify users of material changes and the date of the latest update for version control.

The key is accuracy. Your privacy policy must reflect how your business really handles data - not how you wish it did. Avoid copy‑pasting generic clauses that don’t match your tools and workflows.

Cookies, Marketing And Consent: Getting The Website Basics Right

Cookies and online tracking are where many SMEs fall foul of the rules. Two regimes apply: UK GDPR (lawfulness, transparency, rights) and the Privacy and Electronic Communications Regulations (PECR), which govern cookies and direct marketing. Here’s what to keep front of mind.

Cookie Consent

• Consent is needed before setting non‑essential cookies (e.g. analytics, advertising). That means no pre‑ticked boxes, and no dropping tags until the user accepts.
• Your banner should be clear, granular and balanced - avoid nudging with “accept all” only. Provide equally prominent “Reject All” and “Accept All” options and a “Manage Settings” link. Practical design tips are set out in this guide to cookie banners that comply.
• Make sure your cookie categories map to how scripts fire in your consent management platform (CMP), and that consent choices persist.

Alongside your banner, publish a detailed Cookie Policy listing cookie names, purposes, lifespans and providers, and link it from your privacy policy.

Email And SMS Marketing

• For B2C email/SMS, you generally need opt‑in consent unless the “soft opt‑in” applies (existing customer, similar products/services, opt‑out offered at collection and in each message).
• For B2B outreach, PECR is more permissive for corporate subscribers, but UK GDPR still applies - you need a lawful basis (often legitimate interests) and must provide an easy opt‑out.
• Keep auditable records of consents and opt‑outs, and ensure your privacy policy explains your approach to marketing.

Working With Suppliers And Data Sharing Safely

Most businesses use third‑party software and service providers to deliver their products and manage operations. Under UK GDPR, you remain responsible for the personal data you control, even when suppliers process it for you.

Contracts With Processors

Whenever a supplier processes personal data on your behalf (for instance, an email platform, cloud host, CRM or payroll provider), you must have a compliant processing agreement in place. This is a legal requirement and should set out instructions, security, sub‑processing and audit rights. A tailored Data Processing Agreement helps you meet Articles 28/32 obligations and manage risk.

Sharing Data With Other Controllers

Sometimes you’ll share personal data with another organisation acting as an independent controller (for example, a partner that receives referrals). Where ongoing sharing occurs, a clear Data Sharing Agreement can allocate responsibilities (transparency, lawful bases, data minimisation, security and individual rights).

International Transfers And Due Diligence

• Map where your suppliers store and access data. If it leaves the UK, implement appropriate safeguards (e.g. IDTA/UK Addendum).
• Complete proportionate vendor due diligence and document your decisions.
• Reflect these realities in your privacy policy and internal records.

Breach Preparedness

Have a clear process for identifying, assessing and reporting personal data breaches, including when to notify the ICO and affected individuals. A practical Data Breach Response Plan helps your team act quickly and consistently if something goes wrong.

Step‑By‑Step: Create And Maintain A Compliant Privacy Policy

Creating a compliant, useful company privacy policy is easier when you follow a structured process. Here’s a practical workflow you can adapt to your business.

Step 1: Map Your Data Flows

• List the personal data you collect, the purpose, lawful basis, where it’s stored, who can access it and how long you keep it.
• Identify special category data and children’s data (if any) and apply enhanced safeguards.
• Note all suppliers, where they are located and whether data leaves the UK.

This exercise feeds your privacy policy text and your internal Record of Processing Activities (ROPA).

Step 2: Draft (Or Refresh) Your Privacy Policy

• Cover the mandatory disclosures listed above - particularly purposes, lawful bases, recipients, transfers, retention, rights and contact details.
• Keep it concise and readable. Avoid legalese. Use headings and short paragraphs for clarity.
• Tailor content to your actual tools and processes. If you change technology, update the policy.

It’s wise to have a lawyer review your draft - small gaps (like missing lawful bases or incorrect transfer language) are easy to fix early, but can cause headaches later.

Step 3: Align Your Website And Marketing

• Publish the policy in your footer and at relevant data collection points (forms, checkout flows).
• Implement a compliant cookie banner and ensure non‑essential scripts are blocked until consent is obtained, linking to your Cookie Policy.
• Ensure all marketing forms capture the right permissions and provide opt‑out options.

Step 4: Put The Right Contracts In Place

• Execute a Data Processing Agreement with each processor that handles personal data for you.
• Where you share personal data with other controllers, consider a Data Sharing Agreement.
• If transfers occur outside the UK, implement the correct transfer tools and reflect them in your transparency notices.

Step 5: Create Simple Operational Playbooks

• Subject access requests (SARs): Set up a workflow to verify identity, locate data, and respond within one month.
• Data retention: Maintain a schedule that aligns with your policy statements and legal requirements - revisit your data retention periods at least annually.
• Security and breaches: Train staff, implement access controls and document your Data Breach Response Plan.

Step 6: Review And Update Regularly

• Set a review cadence (at least annually or when you change your tech stack or launch new products).
• Run quick DPIAs for higher‑risk changes (e.g. new tracking tech, AI tools, data matching) and update your policy accordingly.
• Track version history and date‑stamp your policy so readers know it’s current.

Common Mistakes To Avoid

• Publishing a policy that doesn’t match reality (e.g. claiming you don’t use cookies while analytics runs on every page).
• Omitting lawful bases or mixing consent and legitimate interests incorrectly.
• Ignoring international transfers in your notice where suppliers are overseas.
• Not linking your privacy policy where data is collected (forms, checkouts, sign‑ups).
• Using vague retention language without an internal schedule to back it up.

If this feels like a lot, don’t stress. You can start with the essentials, then build out your internal processes over time. The important thing is that your policy and your practices line up - that’s what regulators and customers look for.

Key Takeaways

• Most SMEs need a company privacy policy - it’s how you deliver the UK GDPR’s transparency requirements and set clear expectations with customers and staff.
• Your policy should cover who you are, what data you collect, why you use it (and lawful bases), who you share it with, international transfers, retention, security, rights, marketing and cookies.
• Make your website compliant by pairing your privacy policy with a clear consent banner and a dedicated Cookie Policy.
• Back up your policy with strong data protection operations: supplier contracts (a Data Processing Agreement and, where appropriate, a Data Sharing Agreement), security measures and an actionable Data Breach Response Plan.
• Document realistic data retention periods and keep them in sync with what your policy says.
• Review and update regularly - a policy that doesn’t match your current tech stack or practices can create more risk than having none at all.

If you’d like help drafting a company privacy policy that’s tailored to your business (and making sure your cookies, marketing and supplier contracts line up with it), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.