Sample Privacy Policy (UK): Free Template + What To Include

If you collect any personal information from customers, clients, staff or website visitors, you’ll need a Privacy Policy. The good news? With a clear structure and the right wording, you can create a policy that’s compliant, easy to read and actually useful to your business.

Below, we explain what UK laws your policy must address, what to include (in plain English), and share a free sample Privacy Policy for small businesses that you can copy and tailor. Getting this right early will help you stay compliant and build trust with customers from day one.

Do Small Businesses Need A Privacy Policy In The UK?

In most cases, yes. If your business collects, uses or stores any information that can identify an individual (like a name, email, phone number, IP address, purchase history or health details), you’re handling “personal data” and must comply with UK data protection law. A Privacy Policy is a core way of meeting your transparency obligations and explaining how you process that data.

Even very small businesses typically collect personal data-think online enquiries, email newsletter sign-ups, ecommerce orders, CCTV, or job applications. If any of that sounds like you, you should have a written, accessible Privacy Policy available to individuals at or before the point you collect their data.

Your Privacy Policy should be prominently available (for example, in your website footer and during checkout) and written in clear, plain English. You also need to make sure what it says matches what you actually do in practice.

Which UK Laws Should It Address?

As a UK small business, your Privacy Policy should reflect the main rules that apply to your data practices:

• UK GDPR and the Data Protection Act 2018 - These set out the principles for lawful, fair and transparent processing of personal data, establish data subject rights (like access, erasure and objection), and require appropriate security.
• Privacy and Electronic Communications Regulations (PECR) - These cover direct marketing by email/SMS, use of cookies and similar technologies, and certain telecoms rules. If you use cookies or run email campaigns, PECR will apply alongside UK GDPR.
• Sector-specific rules - For example, if you process special category data (such as health data) or children’s personal data, additional safeguards and lawful bases may apply.

You don’t need to quote legislation in full, but your policy should accurately explain how you comply in practice-your lawful bases, your retention approach, security, and people’s rights. If you use cookies or pixels, make sure your Cookie Policy and cookie banner settings align with PECR and your Privacy Policy. Many businesses also update their notices to reflect modern tracking choices and provide clear opt-outs consistent with cookie banners best practice.

What To Include In A Small Business Privacy Policy (Checklist)

Here’s a practical checklist of the key items your Privacy Policy should cover. Tailor each point to how your business actually operates.

1) Who You Are And How To Contact You

• Your business name, trading name and contact details (email, postal address).
• If you have a Data Protection Officer (DPO) or privacy lead, include their contact details too.

2) What Personal Data You Collect

• Examples: names, emails, phone numbers, addresses, IP addresses, device identifiers, payment references (avoid storing card details unless you have a strong reason and appropriate security), purchase history, account data, support tickets, CVs.
• Call out any special category data (e.g. health information) with extra care and justification.

3) How You Collect It

• Directly from individuals (forms, checkout, phone, email, chat, in person).
• Automatically (analytics cookies, pixels, logs).
• From third parties (referrals, public sources, partners).

4) Why You Use It (Purposes) And Your Lawful Bases

• Common purposes: providing products/services, customer support, account management, marketing with consent or legitimate interests, analytics, fraud prevention, legal compliance.
• Map each purpose to a lawful basis (e.g. contract necessity, consent, legitimate interests, legal obligation). If you rely on legitimate interests, briefly describe those interests and individuals’ right to object.

5) Cookies And Tracking

• Link to your Cookie Policy and be consistent with your banner settings.
• Explain how to manage preferences-including consent-based controls for non-essential cookies under PECR.

6) Who You Share Data With

• Service providers (hosting, payment processors, CRM, email, analytics, IT support).
• Professional advisors (lawyers, accountants), regulators, or authorities where legally required.
• Make sure your contracts with suppliers include a Data Processing Agreement when they process personal data for you, and consider a Data Sharing Agreement if you share data with independent third parties.

7) International Transfers

• Explain if data is transferred outside the UK (e.g. to cloud providers) and the safeguard mechanism you use (UK IDTA, Addendum to EU SCCs, adequacy decisions).

8) How Long You Keep Data (Retention)

• State how long you keep different categories of personal data, or the criteria used to decide, and explain that you securely delete or anonymise data when no longer needed.

9) Security Measures

• High-level description of technical and organisational measures (access controls, encryption in transit, staff training, vendor due diligence).

10) Individual Rights

• Explain the rights of access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent.
• Tell users how to exercise their rights (contact details) and that they can complain to the ICO.
• Internally, ensure your team knows how to handle subject access requests within statutory timelines.

11) Direct Marketing

• Be explicit about when you send marketing and under which legal basis (consent or soft opt-in/legitimate interests under PECR), plus easy opt-out methods in every message.

12) Updates To The Policy

• Say when the policy was last updated and how you’ll notify users about significant changes.

Free Sample Privacy Policy For Small Business (Copy And Customise)

Use this sample as a starting point and tailor it to match your business, systems and suppliers. Keep the tone plain and practical. If you’re unsure, have a lawyer review the final wording.

 Privacy Policy (UK)
Last Updated: 

1. Who We Are
We are  (trading as ) registered in  at . You can contact us at .co.uk] or . If you have any questions about this policy, contact  at .

2. The Data We Collect
We may collect and process:
• Identity Data – name, title, date of birth.
• Contact Data – email address, phone number, billing/delivery address.
• Account Data – username, preferences, communication history.
• Transaction Data – order details, payment references (we do not store full card details).
• Technical Data – IP address, device identifiers, browser type, time zone, cookie IDs.
• Usage Data – pages viewed, links clicked, session duration.
• Marketing & Communications Data – your preferences in receiving marketing from us.
.]

3. How We Collect Data
We collect data when you:
• Fill in forms, create an account, place an order, contact support or interact with us.
• Use our website, which collects data automatically using cookies and similar technologies.
• Receive a referral or we receive data from service providers that help us operate our business.

4. Why We Use Data (Purposes) And Lawful Bases
We use personal data to:
• Provide our products/services, process orders and payments, deliver and manage your account (Lawful basis: Contract).
• Respond to enquiries and provide support (Contract/Legitimate Interests).
• Send you marketing communications where permitted, with opt-out at any time (Consent/Legitimate Interests and PECR rules).
• Improve our website, products and services, and perform analytics (Legitimate Interests/Consent for non-essential cookies).
• Detect and prevent fraud and comply with legal obligations (Legal Obligation/Legitimate Interests).

Where we rely on legitimate interests, they include running and improving our business, delivering quality customer service, and promoting our products/services in a proportionate way. You can object to processing based on legitimate interests at any time.

5. Cookies
We use cookies and similar technologies for functionality, analytics and marketing. Where required, we will obtain your consent for non-essential cookies. You can manage your preferences at any time. For details, see our Cookie Policy.

6. Sharing Your Data
We may share personal data with:
• Service providers acting on our behalf (e.g. hosting, payment processing, delivery, IT support, CRM, email).
• Professional advisers (lawyers, accountants), regulators, or law enforcement where legally required.
We require all service providers to safeguard personal data and only process it according to our instructions.

7. International Transfers
Some providers are located outside the UK. Where we transfer data internationally, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or rely on an adequacy decision.

8. Data Security
We use technical and organisational measures appropriate to the risk, including access controls, encryption in transit, regular monitoring, staff training and vendor due diligence.

9. Data Retention
We keep personal data only for as long as necessary for the purposes described above, including to satisfy legal, accounting or reporting requirements. We then securely delete or anonymise it.

10. Your Rights
You have rights to access, rectify, erase, restrict, object to processing, and data portability, and the right to withdraw consent where processing is based on consent. To exercise these rights, contact us at .co.uk]. You also have the right to complain to the Information Commissioner’s Office (ICO).

11. Direct Marketing
We may send you marketing messages if you have opted in, or where permitted by law (e.g. soft opt-in). You can opt out at any time using the unsubscribe link in our emails or by contacting us.

12. Third-Party Links
Our website may include links to third-party sites or services. We are not responsible for their privacy practices.

13. Changes To This Policy
We may update this policy from time to time. The latest version will always be available on our website with the date of the most recent update.

Contact
Questions? Contact us at .co.uk] or .

Important: This is a general sample. You’ll need to adjust it to align with your business model, tech stack and data flows-and ensure your customer journeys (checkout screens, consent flows, unsubscribe links and cookie banner) match what your policy says.

Common Mistakes And Best Practice

Privacy notices are more than a tick-box exercise. Here are the pitfalls we most often see-and how to avoid them.

Mistake 1: Copy-Pasting A Policy That Doesn’t Match Your Business

Using a generic template without tailoring it to your purposes, lawful bases and suppliers can leave you exposed and mislead customers. Align the policy with your real processes and document your legal basis for each processing activity.

Mistake 2: Forgetting About Cookies And PECR

If you use analytics or advertising pixels, you’ll usually need consent before setting non-essential cookies and the ability to reject them. Ensure your Cookie Policy and banner are consistent, and implement controls that reflect your cookie banners wording. Don’t say you only use “essential cookies” if that’s not true.

Mistake 3: No Supplier Contracts For Data Processing

If a provider processes personal data for you (hosting, email, CRM, fulfilment), UK GDPR requires you to have written terms covering security, confidentiality and your instructions. Put a proper Data Processing Agreement in place, and consider a Data Sharing Agreement where you and another party independently decide how to use the data.

Mistake 4: Over-Retaining Personal Data

Keeping data “just in case” increases your risk and storage costs. Set realistic retention schedules (by category) and stick to them. Your policy should explain how you determine retention and when you delete or anonymise data.

Mistake 5: Not Being Ready For Individual Rights Requests

You must respond to access, erasure and other requests within strict deadlines. Prepare a simple process and train your team so they can recognise and action subject access requests quickly and securely.

Mistake 6: No Incident Plan

Breaches can happen to anyone, and UK GDPR requires certain incidents to be reported to the ICO within 72 hours. Having a clear, tested Data Breach Response Plan will help you respond effectively and meet your obligations under pressure.

Best Practice Tips

• Make your policy short, layered and readable-link to more detail rather than cramming everything on one page.
• Use consistent language across your website, Privacy Policy and customer communications.
• Keep a record of your processing activities so updates to your policy are straightforward.
• Test your user journeys (signup, checkout, unsubscribe, cookie controls) to ensure they work as promised.
• Review your policy periodically or when you change tools, start new marketing or expand to new regions.

Key Takeaways

• If you collect any personal data, you should publish a clear, UK-focused Privacy Policy that accurately reflects your practices.
• Cover the essentials: who you are, what you collect, lawful bases, cookies/PECR, sharing, international transfers, retention, security, individual rights and contact details.
• Align your policy with your systems-cookie consent tools, unsubscribe links and vendor contracts all need to match what you say on paper.
• Put core documents around your policy: a robust Data Processing Agreement with processors, a clear Cookie Policy, and an internal Data Breach Response Plan.
• Train your team and establish processes to handle subject access requests, opt-outs and data deletion requests on time.
• Don’t rely on generic templates-have your final Privacy Policy reviewed so it’s tailored, compliant and protective for your business.

If you’d like help tailoring a Privacy Policy for your small business or want us to review your cookie consent flows and supplier contracts, our team can help. Reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.