Does Your UK Business Need a Privacy Policy?

If you run a small business, chances are you’re collecting personal data all the time - customer enquiries, online orders, email marketing sign-ups, employee details, supplier contacts, or even CCTV footage.

That’s where a privacy policy (or privacy notice) comes in.

But if you’re asking what a privacy policy is, you’re not alone. Many business owners assume it’s just a website footer link you add at the last minute. In reality, it’s one of the key documents that helps you comply with UK data protection law and build trust with customers.

Below, we’ll break down what a privacy policy is, when your UK business needs one (and what “need” means in practice), what it should include, and some common pitfalls to avoid.

What Is a Privacy Policy?

A privacy policy is a written notice that explains how your business collects, uses, stores, shares and protects personal data.

In plain English: it tells people what you do with their information.

Personal data is any information that can identify someone directly or indirectly, such as:

• Names, email addresses and phone numbers
• Delivery addresses and billing details
• Online identifiers like IP addresses and cookie IDs
• Customer account logins
• Photographs or video recordings where people can be identified
• HR data about staff (including sickness records, performance notes, payroll info)

A well-drafted privacy policy doesn’t just “look professional” - it helps you meet legal requirements under the UK GDPR and the Data Protection Act 2018.

It’s also one of the first things a customer (or a prospective business partner) may check before they:

• buy from your online shop
• submit an enquiry form
• book a service
• join your email list
• download your app

If your privacy policy is missing, outdated, or clearly generic, it can undermine trust fast - and it can create real compliance risk.

Does My UK Business Need a Privacy Policy?

In most cases, if you process personal data, you have a legal duty to give people clear privacy information (often through a privacy notice or privacy policy).

So while not every business needs a single “website privacy policy” in the same format, most businesses will need some form of privacy notice - and many will publish it as a privacy policy.

You will usually need a privacy policy/privacy notice if you collect or use personal data in any way - and that includes very common situations like:

• having a website contact form
• taking bookings and enquiries by email or phone
• selling products online and taking delivery details
• running email marketing campaigns
• having customer accounts or subscriptions
• using analytics tools that collect identifiers (like IP addresses)
• monitoring your premises with CCTV
• hiring staff or engaging contractors

Why The Law Pushes You To Be Transparent

Under UK GDPR, when you collect personal data, you generally need to provide people with certain information, including:

• who you are (your business identity and contact details)
• what personal data you collect
• why you’re collecting it (your purpose and lawful basis)
• who you share it with
• how long you keep it
• what rights people have over their data

A privacy policy is the most common way to deliver this information in a clear, consistent format.

It’s Not Just For Websites

Many people search “what is privacy policy” thinking it only applies to online businesses. But even if you don’t sell online, you may still need a privacy notice if you collect personal data in-person.

For example:

• A café collecting email addresses for a loyalty programme
• A trades business storing customer addresses and job photos on a phone
• A clinic collecting medical information for appointments
• A studio recording CCTV for security

If you’re putting formal documents in place, a properly tailored Privacy Policy is one of the key legal foundations that can help protect you from day one.

What Must a UK Privacy Policy Include?

There’s no single “one-size-fits-all” privacy policy, because what you include depends on what your business actually does with data.

That said, UK GDPR expects your privacy information to be clear, transparent, and easy to access. Practically, most UK business privacy policies include the points below.

1) Your Business Details (And How To Contact You)

You’ll typically include:

• your business name (and company number if relevant)
• registered office or trading address
• contact email address
• details for your data protection contact (if you have one)

2) What Personal Data You Collect

This should match reality. If you collect it, list it - for example:

• identity and contact details
• payment information (note: many businesses use third-party payment processors, so you may not store full card details yourself)
• order history and customer service interactions
• technical data (IP address, device details, usage data)
• marketing preferences

3) Why You Collect Data (And Your “Lawful Basis”)

UK GDPR requires you to have a lawful basis for processing personal data. Common lawful bases for small businesses include:

• Contract - you need data to provide the product/service the customer bought
• Legal obligation - you need data to meet legal requirements (for example, tax and accounting records)
• Legitimate interests - you have a genuine business reason, balanced against people’s privacy rights (for example, basic website security and fraud prevention)
• Consent - the person has actively agreed (common for certain marketing activities)

This is one area where generic templates often go wrong. If your policy claims you rely on “consent” for everything, but in practice you process orders because you have a contract with the customer, your document may be inaccurate.

4) Who You Share Personal Data With

Many businesses share data with suppliers and service providers, such as:

• website hosting providers
• email marketing platforms
• booking systems and CRM tools
• payment processors
• delivery companies
• professional advisers (accountants, solicitors)

You don’t always need to list every provider by name, but you should explain the categories clearly, and highlight any disclosures required by law.

5) International Data Transfers

If your suppliers store data outside the UK (or access it from outside the UK), you may be making an international transfer.

This is common, especially with cloud software tools. Your privacy policy should explain whether transfers occur and what safeguards you rely on (for example, UK-approved standard contractual clauses).

6) How Long You Keep Data (Retention)

Under UK GDPR, you shouldn’t keep personal data for longer than you need it.

A good privacy policy explains retention in a practical way, for example:

• customer order records retained for tax/accounting periods
• marketing records kept until someone unsubscribes
• enquiries kept for a reasonable period to manage follow-ups and disputes

7) People’s Rights Under UK GDPR

Your customers (and other individuals) have rights over their personal data, such as:

• the right to access their data
• the right to correct inaccurate data
• the right to delete data (in some situations)
• the right to object to certain processing
• the right to data portability (where applicable)

It’s also standard to explain how someone can complain to you and to the ICO (Information Commissioner’s Office).

8) Cookies And Similar Tracking

If your website uses cookies (and most do), your privacy policy often works alongside a separate cookie policy.

Cookies can also trigger obligations under the UK Privacy and Electronic Communications Regulations (PECR) - in particular, many non-essential cookies (like analytics and advertising cookies) require user consent.

Many businesses choose to use a dedicated Cookie Policy so cookie disclosures don’t get lost inside a longer privacy policy.

Where Should I Display My Privacy Policy (Website, Apps And Offline)?

Your privacy policy needs to be easy to find and available at the point you collect personal data.

For most small businesses, that means displaying it in a few key places.

On Your Website

Common placements include:

• in the website footer (so it appears on every page)
• linked next to contact forms and enquiry forms
• linked during checkout (especially if you collect payment and delivery details)
• referenced in account registration flows

If your website has other legal pages (like terms of use or sales terms), it’s worth keeping them consistent so customers can understand how everything fits together.

In Your App Or Platform

If you operate an app, SaaS product, or member portal, you should usually link your privacy policy:

• before sign-up
• within settings (so users can access it anytime)
• whenever you introduce new features involving data collection

For In-Person Collection

If you collect personal data face-to-face (for example, paper forms, sign-up sheets, events), you may need a “just in time” privacy notice - such as a short notice on the form that points to your full policy online, or a printed copy available on request.

This is especially important if you collect sensitive data (for example, health information) or if the person wouldn’t reasonably expect the collection.

If You Use CCTV Or Audio Recording

CCTV is a classic example where businesses collect personal data without thinking of it as “data collection”.

If your cameras capture identifiable individuals, that footage is personal data. You should:

• display clear signage
• explain your CCTV use in your privacy policy (purpose, retention, who can access it)
• be careful about adding audio, as this can increase compliance risk

It’s worth reading up on workplace and premises monitoring too - for example, CCTV and CCTV with audio rules can catch businesses out if policies and notices aren’t aligned.

Common Privacy Policy Mistakes Small Businesses Make (And How To Avoid Them)

A privacy policy is one of those documents that’s easy to rush - but doing it properly can save you major headaches later.

Here are some common pitfalls we see when small businesses put this off or rely on a generic template.

1) Copying A Template That Doesn’t Match Your Business

If your policy says you “never share personal data with third parties” but you use a booking system, email marketing platform, and outsourced fulfilment, your policy is likely inaccurate.

Accuracy matters. Under UK GDPR, your notices should reflect what you actually do.

2) Forgetting About Marketing Rules (PECR)

Data protection compliance isn’t only about UK GDPR. If you send marketing emails or SMS, you may also need to comply with PECR - including rules around consent, opt-outs, and how you capture marketing preferences.

A privacy policy often references these practices, but you’ll also want your internal process (and wording on sign-up forms) to match.

3) Ignoring Cookies And Analytics

A big reason people search “what is a privacy policy” is because cookie banners and tracking tools make privacy feel more visible than it used to be.

If your website uses analytics or advertising cookies, make sure your cookie consent approach and your written policies work together.

4) Not Thinking About Staff Data

If you have employees (or you’re about to hire your first one), you’ll likely handle sensitive data like bank details, right to work documents, and absence records.

Depending on your setup, it can also be appropriate to provide a separate employee privacy notice for staff, alongside internal policies like an Acceptable Use Policy, so your team understands what they can and can’t do with personal data on work devices and systems.

5) Using New Tech Without Updating Your Privacy Disclosures

AI tools, chatbots, call recording, and screen monitoring software can all change the kind of data you collect - and the risk profile of your business.

Even something as simple as staff using AI to summarise customer emails can raise questions about confidentiality and data handling. If your business is adopting AI tools, it’s a good idea to review your privacy approach and confidentiality controls (including whether your data may be used to train models). Issues like these are discussed in AI confidentiality.

6) Treating A Privacy Policy As A “Set And Forget” Document

Your privacy policy should be updated when your business changes, such as when you:

• launch a new product or service
• start selling online
• add new software providers (CRM, analytics, email marketing)
• begin international trading
• introduce CCTV or other monitoring

If you want a more comprehensive approach (rather than patching things as you go), a tailored compliance pack like a GDPR Package can help tie your documents and practices together.

Key Takeaways

• A privacy policy (or privacy notice) explains how your business collects, uses, stores and shares personal data, and what rights people have over it.
• Most UK businesses need to provide privacy information because they collect personal data through enquiries, sales, marketing, bookings, staff admin, or even CCTV - and a privacy policy is a common way to do this.
• Your privacy policy should align with UK GDPR and the Data Protection Act 2018, and cover core areas like lawful basis, data sharing, retention, and individuals’ rights.
• Cookies and tracking can trigger additional obligations under PECR, and many non-essential cookies require consent - so it often makes sense to keep a separate cookie policy alongside your privacy policy.
• Avoid generic templates - an inaccurate privacy policy can create compliance risk and damage trust with customers.
• Privacy compliance isn’t “set and forget”; update your policy as your tech stack, services, and data use evolve.

If you’d like help putting the right privacy policy in place (or reviewing what you already have), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.