Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
What Does A GDPR-Compliant Privacy Policy Need To Include?
- 1) Who You Are And How To Contact You
- 2) What Personal Data You Collect
- 3) Why You Use Personal Data (And Your Lawful Bases)
- 4) Who You Share Data With
- 5) International Transfers
- 6) How Long You Keep Data (Retention)
- 7) How You Protect Data
- 8) Individual Rights And How People Can Exercise Them
- 9) Cookies And Similar Tracking
- 10) Marketing, Calls, And Electronic Messages
- Key Takeaways
If you run a UK business, chances are you collect personal data in some form - even if it’s “just” names and email addresses for enquiries. That’s exactly why having a GDPR-compliant privacy policy isn’t something to leave for later.
A good GDPR privacy policy does two things at once:
- It helps you meet your legal transparency obligations under UK GDPR and the Data Protection Act 2018.
- It builds trust, because customers (and business partners) can see what you do with their information.
Below we’ll walk you through how to create a GDPR compliant privacy policy in a practical, small-business-friendly way - including what it needs to say, how to tailor it to your business, and how to keep it up to date as you grow.
Do You Need A GDPR Privacy Policy For Your Business?
Often, yes. If your business collects, uses, stores, or shares personal data, you will usually need to provide a privacy policy (also called a “privacy notice”) explaining what you do with that data. In some limited situations (for example, where you very rarely process personal data and it’s already obvious to individuals what will happen), the information may be provided in another form - but for most businesses, a published privacy policy is the simplest way to meet the transparency requirements.
For small businesses, personal data commonly includes:
- Customer names, addresses, emails and phone numbers
- Payment and billing details (even if handled via a third-party provider)
- Order history and delivery information
- Website data like IP addresses and cookie identifiers
- Enquiry forms, booking forms, and contact form submissions
- Marketing preferences (newsletter sign-ups, SMS opt-ins)
- CCTV footage if you have cameras on your premises
Under UK GDPR, one of the big themes is transparency. People should not have to guess what happens to their personal data once they give it to you. Your privacy policy is where you explain this clearly.
Even if you’re a very early-stage business, having your Privacy Policy in place from day one helps you avoid last-minute panic when you launch a new website, start running ads, or sign up to email marketing tools.
What Laws Apply In The UK?
When we talk about a GDPR privacy policy in the UK, we’re usually talking about compliance with:
- UK GDPR (the UK version of the General Data Protection Regulation)
- Data Protection Act 2018 (which sits alongside UK GDPR)
- PECR (Privacy and Electronic Communications Regulations) - especially relevant for cookies and marketing messages
These rules apply to many UK businesses, including online shops, service providers, agencies, SaaS companies, brick-and-mortar retailers, and basically anyone collecting personal data for business purposes.
What Does A GDPR-Compliant Privacy Policy Need To Include?
A GDPR compliant privacy policy isn’t just a box-ticking exercise. It should reflect what your business actually does with personal data, in plain English.
While the exact content depends on your business model, a strong GDPR privacy policy framework usually covers the points below.
1) Who You Are And How To Contact You
You should clearly identify:
- Your legal business name (and trading name, if different)
- Your registered address or business address
- Contact details (email is usually essential)
- If relevant, details for your Data Protection Officer (DPO) or privacy contact person
2) What Personal Data You Collect
Be specific. Instead of saying “we collect personal information”, break it down into categories, such as:
- Identity data (name, title, date of birth where relevant)
- Contact data (email, phone number, address)
- Transaction data (purchases, payments)
- Technical data (IP address, device information)
- Marketing preferences
This section is often where generic templates fall down. If you don’t really collect certain information, don’t claim you do - and if you do collect it, don’t forget to mention it.
3) Why You Use Personal Data (And Your Lawful Bases)
UK GDPR requires you to tell people why you process their data and the lawful basis you rely on, such as:
- Contract (e.g. you need the details to deliver a product or provide a service)
- Legal obligation (e.g. recordkeeping for tax)
- Legitimate interests (e.g. improving services, fraud prevention - but you must consider and balance this against individuals’ rights and expectations)
- Consent (e.g. email marketing sign-ups, non-essential cookies)
A common mistake is relying on consent for everything, when contract or legitimate interests may be more appropriate (and more practical). Your privacy policy should align with how you actually operate.
4) Who You Share Data With
Most small businesses share personal data with third parties, even if it doesn’t feel like it. Examples include:
- Website hosting providers and analytics tools
- Payment processors
- Delivery and fulfilment partners
- CRM and email marketing platforms
- Accountants and professional advisers
If you use suppliers to process personal data on your behalf, you may also need a Data Processing Agreement in place with them (this is separate from your privacy policy, but closely linked).
5) International Transfers
If your service providers store data outside the UK (or access it from outside the UK), this may count as an international transfer. Your privacy policy should explain whether transfers happen and the safeguards you use. Depending on where the data goes, this could include the UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, and (where required) additional risk assessments and supplementary measures.
This often comes up if you use global SaaS tools for email, analytics, cloud storage, customer support, or HR platforms.
6) How Long You Keep Data (Retention)
Your privacy policy should explain how long you keep personal data, or at least the criteria you use to decide.
Small businesses often forget this, but retention matters because keeping data “just in case” can create unnecessary risk. A clear data retention approach is also helpful for internal operations (not just compliance).
7) How You Protect Data
You don’t need to publish a full cyber security manual, but you should explain (at a high level) the measures you use, such as:
- Access controls (only staff who need access have it)
- Secure password practices and multi-factor authentication
- Encryption where appropriate
- Secure storage and supplier vetting
If you have staff, it’s also worth aligning your internal behaviour with your policy via documents like an Acceptable Use Policy (for example, to set rules on using devices, accessing systems, and handling customer information).
8) Individual Rights And How People Can Exercise Them
Under UK GDPR, individuals have rights including (in simplified terms):
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure (in certain situations)
- The right to restrict processing
- The right to object (particularly relevant for direct marketing)
- The right to data portability (in certain cases)
Your GDPR privacy policy should tell people how to contact you to exercise these rights, and you should have an internal process for handling these requests calmly and within the required timeframe.
9) Cookies And Similar Tracking
If you run a website (especially an ecommerce or lead-generation site), cookies are a big part of GDPR and ePrivacy compliance.
In practice, many businesses handle cookies in two layers:
- A privacy policy explaining the overall approach to personal data; and
- A separate Cookie Policy explaining cookie types, purposes, and choices in more detail.
This is particularly useful where you use analytics, advertising pixels, or embedded third-party content.
10) Marketing, Calls, And Electronic Messages
If you do email marketing, SMS marketing, or phone marketing, your privacy policy should say so - and it should align with your consent/opt-out methods.
This area can feel confusing because UK GDPR and PECR overlap. If your sales process involves lead follow-up or outbound contact, it’s worth getting clear on the rules around business calls and marketing permissions, so your privacy policy matches what you’re actually doing.
A Step-By-Step Process To Write Your Privacy Policy (Without Guessing)
The easiest way to write a GDPR compliant privacy policy is to treat it as a summary of your real-world processes - not something you “invent” at the end.
Step 1: Map The Personal Data In Your Business
Start by listing:
- Where the data comes from (website forms, checkout, phone enquiries, in-store, booking tools)
- What types of data you collect
- Why you collect it
- Where it is stored (email inbox, CRM, spreadsheets, cloud drives)
- Who has access (you, staff, contractors, agencies)
- Who you share it with (suppliers and platforms)
This exercise tends to reveal “hidden” data processing - like how enquiries are stored in inboxes forever, or how booking tools automatically store customer information.
Step 2: Identify Your Lawful Bases
For each key activity, choose the lawful basis that fits best. For example:
- Fulfilling orders: contract
- Invoices and accounting records: legal obligation
- Customer support history: often legitimate interests
- Newsletter sign-ups: usually consent
This isn’t just legal theory - it affects what you say in your privacy policy and what choices you give customers.
Step 3: List Your Processors And Third Parties
Write down the tools and providers you use (e.g. email marketing, payments, fulfilment, analytics). This helps you:
- Explain sharing in your privacy policy
- Check which providers are processors vs independent controllers
- Put the right agreements in place where needed
If you handle personal data for business clients (for example, you’re an agency or service provider), you may also need to reflect those arrangements contractually, not just in your privacy policy.
Step 4: Draft The Policy In Plain English
Now you can write the document itself, using the mapped information. Aim for:
- Clear headings
- Short paragraphs
- Specific examples where helpful
- No unnecessary legal jargon
Remember, the goal is that a normal customer can read it and understand what’s happening.
Step 5: Make Sure It Matches Your Website And Processes
This is where many businesses get caught out. Your privacy policy should match what your business actually does, including:
- The wording on your checkout pages and forms
- Your cookie banner settings
- Marketing opt-ins and unsubscribe processes
- Your internal handling of requests and complaints
If your privacy policy says you delete enquiry data after 6 months, but you keep everything forever in your inbox, you’ve created a compliance gap (and potentially a trust problem).
Common Mistakes That Can Make Your Privacy Policy Non-Compliant
Plenty of businesses have a privacy policy, but that doesn’t automatically mean it’s GDPR-compliant.
Here are some of the most common issues we see with GDPR privacy policy compliance for small businesses:
Using A Generic Template That Doesn’t Match Your Business
Templates often include irrelevant clauses or miss key activities like booking systems, behavioural advertising, or international suppliers. If it doesn’t reflect reality, it can cause problems quickly.
Forgetting Cookies, Tracking, Or Advertising Tools
If you use analytics, retargeting ads, embedded videos, or social plugins, your privacy policy (and cookie approach) should explain this properly.
Not Explaining Lawful Bases Clearly
“We process your data because we need to” isn’t enough. You should connect each purpose to a lawful basis in a way that makes sense.
Missing Required Information On Rights And Complaints
Individuals need to know how to exercise their rights and that they can complain to the ICO. Leaving that out is a common compliance gap.
Publishing A Policy But Not Following It Internally
This is a big one. A GDPR privacy policy is a public statement. If your internal processes don’t match (for example, around retention or marketing opt-outs), you could face customer complaints or regulatory attention.
Where To Publish Your Privacy Policy (And How To Keep It Updated)
Your privacy policy should be easy to find before someone hands over their data.
Common places to publish it include:
- Your website footer (standard practice)
- Checkout pages and booking pages (linked near where data is collected)
- Contact/enquiry forms (linked near the submit button)
- Apps or client portals (accessible from menus/settings)
- In-store, where relevant (QR code or printed notice for CCTV, sign-up forms, etc.)
When Should You Update It?
You should review your GDPR compliant privacy policy when you:
- Add a new service provider (especially analytics/marketing tools)
- Expand into new markets or start shipping internationally
- Start running paid ads or retargeting campaigns
- Begin collecting new categories of data (e.g. health info, ID checks)
- Change your retention practices or security setup
A good rule of thumb is to schedule a quick annual review, and then do “mini reviews” whenever you introduce a new tool or process.
Do You Need More Than A Privacy Policy?
Sometimes, yes. Your privacy policy is a public-facing document, but GDPR compliance often also requires internal documentation and contracts.
Depending on your business, you might also need:
- Processor contracts (where suppliers process personal data for you)
- Internal policies and training for staff handling personal data
- A breach response plan
- Appropriate customer terms addressing data handling (especially for B2B services)
This is where it can help to get advice tailored to your data flows, especially if you’re scaling quickly or working with lots of vendors.
Key Takeaways
- A GDPR-compliant privacy policy is about transparency - if you collect personal data, you should clearly explain what you collect, why, and how it’s used.
- A GDPR privacy policy should include your business details, categories of personal data, purposes and lawful bases, data sharing, international transfers, retention, security, and individual rights.
- The easiest way to create a GDPR compliant privacy policy is to map your data first, then draft your policy as a plain-English summary of those real processes.
- Cookies and marketing are frequent problem areas - your privacy policy should align with your cookie banner, marketing opt-ins, and PECR requirements.
- Generic templates can create compliance gaps if they don’t match your business model, suppliers, and actual day-to-day practices.
- Your privacy policy should be easy to find on your website and should be reviewed whenever your tools, marketing methods, or services change.
If you’d like help drafting or reviewing a GDPR-compliant Privacy Policy for your business, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
