Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
- Do I Need A Privacy Policy For My Small Business?
What Must A UK Privacy Policy Include?
- 1) Who You Are (And How To Contact You)
- 2) What Personal Data You Collect
- 3) How You Collect It
- 4) Why You Use It (Your Legal Basis)
- 5) Who You Share Data With
- 6) Overseas Transfers (If Applicable)
- 7) How Long You Keep Data
- 8) People’s Rights Under UK GDPR
- 9) Marketing Rules (Including Email And SMS)
- 10) Security Measures (At A High Level)
- 11) Automated Decision-Making (If You Use It)
- Key Takeaways
If you run a small business in the UK, chances are you’re handling personal data every day - even if it doesn’t feel like it.
Maybe you’ve got a simple “contact us” form on your website, you take online bookings, you send email newsletters, or you use a customer database to keep track of orders. The moment you collect information that can identify someone (like a name, email address, phone number, delivery address, or even an IP address in some cases), privacy law is on your radar.
That’s why a clear, accurate privacy policy matters. It’s not just a “website checkbox” - it’s part of setting up your legal foundations properly so you can grow with confidence, avoid complaints, and show customers you take privacy seriously.
Below, we’ll walk you through what a privacy policy needs to include, what UK laws apply, and we’ll also give you a practical privacy policy example you can use as a starting point.
Do I Need A Privacy Policy For My Small Business?
In practice, many UK small businesses should have a privacy policy if they collect or use personal data.
You’ll usually need one if you:
- Have a website that collects enquiries (eg contact forms, newsletter signups, account creation)
- Sell online and take customer order details (names, addresses, payment info via a processor)
- Book appointments (salons, clinics, consultants, trades, events)
- Use analytics or advertising cookies (including basic website tracking)
- Hold employee or contractor information (payroll, contact details, emergency contacts)
- Collect leads via social media or marketing tools
From a legal perspective, the main laws you’re dealing with are:
- UK GDPR (the UK version of the General Data Protection Regulation) - this sets the core rules for processing personal data.
- Data Protection Act 2018 - this sits alongside UK GDPR and covers additional UK-specific rules.
- Privacy and Electronic Communications Regulations (PECR) - these cover marketing communications and cookies.
A privacy policy is one of the most visible ways you comply with the UK GDPR transparency obligations - in other words, telling people what you’re doing with their data, and why.
If your current privacy policy is a generic template you copied years ago, it may not reflect what you actually do (which is a risk in itself). If you’d like something tailored, a professionally drafted privacy policy can help you get it right from day one.
What Must A UK Privacy Policy Include?
A strong privacy policy isn’t about sounding fancy - it’s about being clear, accurate, and complete.
Under UK GDPR, when you collect personal data, you generally need to explain key information including:
1) Who You Are (And How To Contact You)
Your privacy policy should clearly state your business name and contact details.
If you have a registered office address, include it. If you’re a sole trader operating from home, you may want legal advice on what contact details to publish while still meeting transparency requirements.
If you have (or are required to have) a Data Protection Officer (DPO), include their contact details. If you are established outside the UK but target people in the UK (and UK GDPR applies), you may also need to identify your UK representative where relevant.
2) What Personal Data You Collect
Be specific and practical. For example:
- Identity data (name, username)
- Contact data (email, phone number, billing/delivery address)
- Transaction data (order history, purchase amounts)
- Technical data (IP address, device information, cookies)
- Marketing preferences (opt-in/opt-out status)
3) How You Collect It
This might include:
- When a customer fills out a form on your website
- When someone places an order
- When you receive emails or messages
- Automatically through cookies and analytics tools
If you collect personal data from somewhere other than the individual (eg referrals, lead lists, public sources, social media platforms), your privacy policy should also explain the categories of data and the source.
If you use cookies, your privacy policy usually works alongside a separate Cookie Policy (and ideally a cookie banner/consent tool where needed).
4) Why You Use It (Your Legal Basis)
One of the most important parts: you need to explain the purposes for processing data, and the legal basis (eg contract, legitimate interests, consent, legal obligation).
Examples:
- To fulfil orders - necessary for a contract
- To respond to enquiries - legitimate interests
- To send marketing emails - consent (in many cases) or the “soft opt-in” (where allowed and the conditions are met)
- To meet accounting/tax obligations - legal obligation
5) Who You Share Data With
Most small businesses share data with service providers. Common examples include:
- Website hosting providers
- Email marketing platforms
- Booking systems
- Payment processors
- Accountants
- Courier and delivery services
You don’t always need to list every supplier by name, but you should describe the categories of recipients and why you share data with them.
6) Overseas Transfers (If Applicable)
If any of your service providers store or access data outside the UK, you may need to explain:
- Where data is transferred to (eg US or EU)
- What safeguards apply (eg adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses)
This often comes up with cloud tools. If you rely on cloud file storage or collaboration tools, it’s worth checking your settings and suppliers carefully - even seemingly simple questions like cloud storage can raise GDPR compliance issues depending on how you use it.
7) How Long You Keep Data
UK GDPR requires you to explain retention - not necessarily an exact number of days for everything, but at least clear timeframes or criteria.
For example:
- Customer purchase records kept for tax/accounting obligations
- Marketing lists kept until someone opts out
- Enquiries kept for a set period unless they become a customer
If you’re not sure what’s “reasonable”, a practical retention approach (and being consistent) matters. Getting retention right is also part of your broader data retention obligations.
8) People’s Rights Under UK GDPR
Your privacy policy should explain that individuals have rights, such as:
- The right to access their data
- The right to correct inaccurate data
- The right to request deletion (in some cases)
- The right to object to processing (including direct marketing)
- The right to withdraw consent (where consent is the basis)
- The right to complain to the ICO (Information Commissioner’s Office)
9) Marketing Rules (Including Email And SMS)
If you do any marketing, your privacy policy should explain:
- What marketing you send (newsletters, offers, updates)
- How people can opt out
- Whether you rely on consent or the “soft opt-in” (where applicable under PECR)
10) Security Measures (At A High Level)
You don’t need to publish a detailed security blueprint, but you should reassure customers that you take appropriate technical and organisational measures to protect personal data.
11) Automated Decision-Making (If You Use It)
If you use automated decision-making or profiling that has legal (or similarly significant) effects on individuals (eg automated credit decisions), you should explain this, including meaningful information about the logic involved and the likely consequences.
Privacy Policy Example (Template) For UK Small Businesses
The privacy policy example below is written in plain English and is designed for a typical UK small business that operates a website, takes enquiries, and may sell products or services online.
Important: This is a general template only. Your privacy policy must match what you actually do. If you copy-paste a template and it doesn’t reflect your real data practices, that can create risk (and can undermine customer trust). For many businesses, getting a tailored privacy policy is a smart investment as you scale - and it often sits alongside documents like Website Terms And Conditions.
Privacy Policy Example
Last Updated:
1. Who We Are
We are (“we”, “us”, “our”). We are committed to protecting your personal data and respecting your privacy.
Contact Details
If you have any questions about this Privacy Policy or how we handle your personal data, you can contact us at:
Email:
Address:
Phone:
Data Protection Officer (If Applicable)
If we have appointed a Data Protection Officer (DPO), you can contact them at: .
2. What This Privacy Policy Covers
This Privacy Policy explains how we collect, use, store and share personal data when you:
- visit our website at
- make an enquiry or contact us
- purchase goods or services from us (if applicable)
- sign up to receive marketing communications (if applicable)
3. What Personal Data We Collect
Depending on how you interact with us, we may collect the following types of personal data:
- Identity Data: such as your name.
- Contact Data: such as your email address, phone number, and billing/delivery address.
- Order / Transaction Data: such as details about products/services purchased, and order history (note: we generally do not store full payment card details).
- Technical Data: such as your IP address, browser type, device information, and website usage data (including via cookies).
- Marketing Preferences: such as whether you have opted in/out of receiving marketing.
4. How We Collect Your Personal Data
We may collect personal data from you when you:
- enter information into forms on our website
- contact us by email, phone, or through our website
- place an order for goods/services (if applicable)
- subscribe to our mailing list (if applicable)
- use our website, including through cookies and analytics tools
We may also receive personal data from third parties or publicly available sources (for example, if you interact with our social media pages or if someone refers you to us). Where we collect personal data in this way, we will take reasonable steps to tell you about it as required by law.
5. How We Use Your Personal Data (And Our Legal Bases)
We will only use your personal data where the law allows us to. Most commonly, we will use your personal data for the purposes set out below:
- To respond to enquiries and communicate with you (legal basis: legitimate interests and/or steps taken at your request prior to entering into a contract).
- To provide goods or services you purchase from us (legal basis: performance of a contract).
- To manage payments, fees and charges (legal basis: performance of a contract and/or legal obligation).
- To improve our website and customer experience (legal basis: legitimate interests).
- To send marketing communications (legal basis: consent and/or the “soft opt-in” where permitted by law and the conditions are met). You can opt out at any time.
- To comply with legal obligations (legal basis: legal obligation), such as accounting and tax requirements.
6. Marketing
Where you have opted in (or where we are permitted to do so under applicable law), we may send you marketing communications by email and/or SMS about our products, services, or offers.
You can opt out at any time by using the unsubscribe link in our emails or by contacting us using the details above.
7. Cookies
Our website may use cookies and similar technologies. Cookies help us understand how our website is used and improve your experience.
Some cookies (eg those that are not strictly necessary) may require your consent under PECR.
For more information about how we use cookies, including how you can manage your cookie preferences, please refer to our Cookie Policy at: .
8. Who We Share Personal Data With
We may share your personal data with trusted third parties where needed to run our business, including:
- website hosting and IT service providers
- payment processors (if applicable)
- booking, CRM, and email marketing providers (if applicable)
- professional advisers such as accountants and insurers
- delivery/courier providers (if applicable)
We require third parties to respect the security of your personal data and to treat it in accordance with the law.
9. International Transfers
Some of our service providers may store or access personal data outside the UK. Where we transfer your personal data overseas, we take steps to ensure it is protected in line with applicable data protection laws (for example, by relying on UK adequacy regulations or using appropriate contractual protections such as the IDTA or the UK Addendum).
10. Data Security
We take reasonable technical and organisational measures to protect your personal data. However, no method of transmission over the internet is completely secure.
11. How Long We Keep Your Personal Data
We keep personal data only for as long as necessary for the purposes we collected it for, including to satisfy legal, accounting, or reporting requirements.
In some cases, we may keep data for longer where required by law or where we need it to establish, exercise or defend legal claims.
12. Automated Decision-Making
We do not generally use automated decision-making that has legal (or similarly significant) effects on you. If this changes, we will update this Privacy Policy and provide the information required by law.
13. Your Legal Rights
Under UK data protection laws, you may have rights including:
- the right to request access to your personal data
- the right to request correction of inaccurate data
- the right to request deletion of your personal data (in certain circumstances)
- the right to object to processing (including direct marketing)
- the right to withdraw consent where consent is the basis for processing
- the right to lodge a complaint with the Information Commissioner’s Office (ICO)
If you would like to exercise your rights, please contact us using the details in section 1.
14. Changes To This Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be posted on our website and will apply from the “Last Updated” date above.
End of Privacy Policy
This privacy policy example is a helpful starting point, but don’t forget the key rule: it must reflect your actual business operations (including your software stack, marketing methods, and how you collect data).
Common Privacy Policy Mistakes Small Businesses Make (And How To Avoid Them)
Privacy policies often go wrong in predictable ways - usually because they were treated as a last-minute “website admin task” rather than a legal compliance document.
Using A Template That Doesn’t Match What You Do
If your privacy policy says you don’t share data with third parties but you use email marketing software, payment processors, booking tools, or analytics, your policy may be inaccurate.
That’s a problem because UK GDPR is built on transparency. It’s much better to disclose what you actually do than to pretend you do less.
Not Addressing Cookies Properly
A privacy policy and a cookie banner aren’t the same thing, and not all cookies are treated equally. If you’re running analytics or advertising cookies, you may need consent under PECR (depending on the type of cookies and how they operate) and clear disclosures to users.
Being Too Vague About Retention
“We keep your data as long as necessary” without any further detail is usually too thin. You don’t need a perfect retention schedule, but you do need something meaningful.
Forgetting Marketing Compliance
If you send newsletters or promotional emails, your privacy policy should explain how people can opt out, and how you comply with PECR marketing rules (including, where relevant, the “soft opt-in” conditions).
Not Linking Your Privacy Policy Properly
Make it easy to find. Common best practice is to link your privacy policy in the website footer and at the point you collect data (eg next to forms and checkout pages).
How Do I Keep My Privacy Policy Compliant As My Business Grows?
A privacy policy isn’t a “set and forget” document. As your business grows, your data handling almost always changes - new tools, new marketing channels, new staff, new suppliers.
Here are practical habits that can keep you compliant without turning privacy into a full-time job.
Do A Simple “Data Audit” Every 6–12 Months
Ask yourself:
- What personal data do we collect now that we didn’t collect last year?
- Have we added any new platforms (CRM, email marketing, booking, analytics, chat tools)?
- Do we share data with anyone new (couriers, contractors, service providers)?
- Have we expanded into new markets or started selling overseas?
If the answer is “yes” to any of the above, your privacy policy likely needs an update.
Align Your Privacy Policy With Your Other Website Documents
Your privacy policy should work alongside other core documents, especially if you sell online. For example, your sales process and customer communications often link to your Website Terms And Conditions, and your website tracking should be consistent with your cookie disclosures.
Make Sure Your Team Follows The Policy
A privacy policy isn’t just for customers - it also becomes an internal reference point.
If you have staff (or even just a couple of contractors), make sure the way they handle customer data matches what you’ve promised publicly. If you need a more structured approach, putting the right policies and governance in place (and having a clear compliance plan) can be part of a broader GDPR package.
Be Careful With “Extra” Data
Small businesses sometimes collect more data than they need because it’s easy to add extra fields to a form.
As a general rule: only collect what you actually need. Less data usually means less risk and less admin.
Key Takeaways
- A privacy policy is commonly needed for UK small businesses that collect personal data through their website, bookings, sales, enquiries, or marketing.
- Your privacy policy should be clear about what data you collect, how you use it, who you share it with, how long you keep it, and what rights people have under UK GDPR.
- PECR rules can apply where you use cookies or send marketing communications, so your privacy policy should line up with your cookie and marketing practices.
- A privacy policy example is a great starting point, but your final policy must reflect your real-world tools and processes - otherwise it can create compliance risk.
- As your business grows (new software, new marketing, new suppliers), you should review and update your privacy policy so it stays accurate and legally useful.
If you’d like help putting the right privacy policy in place (and making sure it actually matches how your business operates), you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
