What Is a Privacy Policy in the UK?

If your business collects any personal information - from website enquiries to customer orders - you’re legally required to tell people what you’re doing with it. That’s exactly what a Privacy Policy (often called a “privacy notice” in UK law) is for.

In this guide, we’ll break down what a privacy policy is, when you need one, what it must include under UK GDPR and the Data Protection Act 2018, and practical steps to get yours right from day one.

Don’t stress - with a clear process and the right documents, you can stay compliant and build customer trust at the same time.

What Is A Privacy Policy Under UK Law?

A privacy policy is a public statement (usually on your website or app) that explains, in clear language, how your business collects, uses, shares and protects personal data. UK law calls this a “privacy notice,” and it’s required by the UK GDPR and the Data Protection Act 2018 whenever you act as a “controller” of personal data.

In practical terms, if you capture: contact forms, newsletter sign-ups, online orders, job applications, support tickets, CCTV footage, or even IP addresses and cookie identifiers, then you’re handling personal data and you need to be transparent about it.

Transparency is a core GDPR principle. Articles 13 and 14 set out the information you must provide to people whose data you collect, whether you get it directly from them (e.g. a checkout page) or indirectly (e.g. a lead list from a third party).

It’s also a credibility signal. Customers are increasingly privacy-aware; a clear, easy-to-find privacy policy shows you take their data seriously and helps you win trust with new users, enterprise clients and regulators alike.

Do Small Businesses Really Need A Privacy Policy?

Almost certainly, yes. Most SMEs process personal data in some form - even if you’re “B2B only.” Business emails (firstname@company.com), sole traders’ details, and contact names count as personal data under UK GDPR.

You need a privacy policy if you:

• Run a website that uses contact forms, analytics or cookies
• Sell products or services online or offline and keep customer details
• Send marketing emails or texts (including soft opt-in)
• Use third-party tools (e.g. CRM, payments, email platforms) to process personal data
• Collect staff, contractor or job applicant information

Even bricks-and-mortar businesses usually collect personal data through booking systems, loyalty programs, CCTV or Wi-Fi portals. If any of this sounds like you, you need a compliant privacy policy and associated documents like a Data Processing Agreement with your suppliers.

For websites and apps, you’ll typically publish the policy in your footer and link it wherever you collect data (e.g. checkout, sign-up forms). For offline collection (e.g. paper forms at an event), you should still make the information available - via a short notice with a link or QR code to the full policy.

What Must A Privacy Policy Include Under UK GDPR?

Your privacy policy should be tailored to how your business actually operates. As a minimum, it needs to cover the GDPR “transparency information” in a way people can easily understand. In plain English, this means:

• Who you are: Your legal entity name, trading name and contact details (and your Data Protection Officer if you have one).
• What data you collect: The types of personal data (e.g. names, emails, payment details, IP addresses, device IDs, CCTV footage).
• How and why you collect it: The purposes (e.g. order fulfilment, customer support, marketing, security, analytics). Be specific.
• Your lawful bases: The legal reason for each purpose (e.g. contract, legal obligation, legitimate interests, consent).
• Who you share it with: Categories of recipients (e.g. payment processors, delivery partners, cloud providers) and the nature of the sharing.
• International transfers: If data goes outside the UK (or EEA), what safeguards you use (e.g. UK IDTA/Addendum, adequacy decisions).
• How long you keep it: Retention periods or the criteria used to set them.
• People’s rights: The data subject rights (access, rectification, erasure, restriction, portability, objection, and the right to withdraw consent).
• How to complain: A route to contact you and the right to complain to the ICO.
• Automated decisions: If you use profiling or automated decisions with legal or similar effects, explain the logic and consequences.
• Cookies and similar tech: A clear explanation of cookies, with a link to your cookie controls and cookie list.

Make sure the language is concise and free of jargon. The ICO expects information to be accessible to your audience - that may mean a layered approach (a short summary with links to detailed sections) or extra clarity where you target children or vulnerable groups.

Because cookies and analytics fall under PECR (the Privacy and Electronic Communications Regulations), you’ll also need compliant consent controls and a separate but connected Cookie Policy that lists the cookies you use.

How Is A Privacy Policy Different From Other Documents?

It’s easy to mix up the documents that sit around privacy. Here’s how they fit together:

Privacy Policy (External) vs Internal Policies

Your external-facing privacy policy (privacy notice) is for customers and users. You should also have internal policies and procedures that your staff follow - how to handle data breaches, how to respond to access requests, and how to apply retention rules. Many UK SMEs bundle these together as part of a practical GDPR Package.

Data Processing Agreement (DPA)

A DPA is a contract between you (the controller) and your processors (e.g. your email platform or cloud host). It sets out how they must protect data and follow your instructions. If you use any third-party service to process personal data on your behalf, you should have a Data Processing Agreement in place.

Data Sharing Agreement

If you share personal data with another controller (e.g. a strategic partner running a joint campaign with you), a Data Sharing Agreement helps allocate responsibilities and reduce risk.

Cookie Policy and Consent Banner

PECR requires consent for most non-essential cookies. Your banner should allow users to accept/reject by category and your cookie policy should explain the tech you use. Practical steps for compliant banners are covered in this guide to cookie banners that comply.

Step-By-Step: How To Create A Compliant Privacy Policy

1) Map Your Data Flows

Start with a simple audit. List what personal data you collect, where it comes from, what you use it for, where you store it, and who you share it with. Don’t forget less obvious sources like analytics, support chats, CCTV, and job applications.

This exercise will drive the structure of your policy and highlight where you need a DPA or a data sharing arrangement.

2) Select Your Lawful Bases

For each use of data, choose a lawful basis under UK GDPR. Common ones for SMEs include:

• Contract: To provide your services or deliver an order
• Legal obligation: Accounting, tax, AML, health and safety
• Legitimate interests: Website security, fraud prevention, basic analytics, B2B marketing (subject to PECR)
• Consent: Email/SMS marketing to consumers, non-essential cookies, certain sensitive uses

Document your balancing tests for legitimate interests and keep a record of how you capture consent (and how users can withdraw it).

3) Draft In Plain English

Turn your audit into a clear, accessible policy. Use headings, short paragraphs and a layered approach so readers can scan. Avoid copying a template that doesn’t reflect your actual systems - if your policy is misleading, that’s a compliance risk in itself.

To keep things consistent, many businesses combine website terms, a cookie policy and their Privacy Policy so users can find everything easily in the site footer.

4) Put The Right Contracts In Place

Once you know who processes data for you, make sure a Data Processing Agreement is in place with each supplier (e.g. your CRM, email tool, cloud storage, payments provider). If you’re jointly determining purposes with a partner, consider a Data Sharing Agreement so roles are clear.

5) Sort Cookies And Marketing

Implement a consent banner that blocks non-essential cookies until the user opts in, and provide easy “reject all” and granular options by category. Align the banner with your cookie policy and keep the cookie list up to date as your tech stack changes.

For email and SMS, follow PECR rules. The “soft opt-in” can help for existing customers, but you still need to provide an opt-out in every message and record consent choices carefully.

6) Plan For Data Rights And Retention

You must handle data subject requests within one month. Have a simple workflow, and train your team to recognise requests (they can come through any channel). Timelines and exemptions are outlined in this guide to subject access request deadlines.

Set a retention schedule so you only keep data for as long as you need it. This UK-focused guide on how long you should keep personal data is a good starting point for SMEs.

7) Keep It Live And Up To Date

Privacy is not a set-and-forget project. As you add tools, expand to new markets, or change suppliers, review your policy and cookie setup. If you significantly change how you use data, tell users and (where required) seek fresh consent.

Where Should You Publish Your Privacy Policy?

Make it easy to find. The usual places are:

• Website footer (every page)
• Sign-up, checkout and contact forms (a direct link near the consent/submit button)
• In-app menu or account settings (for apps/SaaS)
• Email footers and onboarding flows

For physical collection, use a short privacy notice at the point of capture with a link or QR code to the full policy.

If your site targets the UK and international users, explain any country-specific points (e.g. different complaint routes or transfer safeguards). If you transfer data outside the UK, reference the approach you use (e.g. UK Addendum to the EU SCCs or the UK’s International Data Transfer Agreement).

Common Mistakes (And How To Avoid Them)

Copy-Paste Policies That Don’t Match Reality

Regulators and customers can spot generic templates a mile away. If you say you never share data but your checkout uses multiple processors, you’re creating risk. Tailor the policy to your actual systems and keep it current.

Ignoring Cookies And PECR

Dropping analytics and marketing tags before consent, missing “reject all” buttons, or burying cookie choices are common pitfalls. Fixing the banner and publishing an accurate cookie policy go a long way to compliance - and to respecting user choices.

Outdated GDPR References

Post-Brexit, the UK has UK GDPR alongside the Data Protection Act 2018. Make sure your policy reflects UK law and references the ICO (not just EU bodies), especially if you only target UK users.

No Process For Data Rights

Having a policy is great - but you also need a way to action it. Put in place a simple process for identity checks, locating data across systems, and responding within the time limits. You’ll likely field access, deletion and objection requests as you grow.

Poor Retention Hygiene

Keeping data “just in case” is a risk. Define retention periods that align with legal and operational needs, then actually delete or anonymise data when those periods expire.

Missing Records And Supplier Contracts

UK GDPR expects you to demonstrate compliance. Keep records of your processing activities, decisions about lawful bases, and your DPAs with processors. If you use new tools or AI services that process personal data, update your records and supplier contracts accordingly.

FAQs: What UK SMEs Ask About Privacy Policies

Is A Privacy Policy Legally Required?

Yes - if you act as a controller of personal data, UK GDPR requires you to provide people with specific information about how you process their data. For most SMEs, the simplest way to meet that duty is a clear, easily accessible privacy policy.

What’s The Difference Between A Privacy Policy And A Privacy Notice?

Under UK GDPR, “privacy notice” is the formal term for the information you must provide. In practice, most businesses publish a “Privacy Policy” that functions as their privacy notice. The key is that it covers the required points and is easy to understand.

Do I Need One If I’m B2B Only?

Yes. Business contacts are still people. Names, business emails and phone numbers are personal data. You still need transparency and you must follow UK GDPR and PECR rules for direct marketing.

Where Do Cookies Fit In?

Cookies and similar technologies are governed by PECR. You generally need prior consent for non-essential cookies (e.g. analytics, advertising). Provide a compliant banner, and publish a clear Cookie Policy tied to your consent choices.

Do I Need To Pay An ICO Fee?

Most UK businesses that process personal data must pay a data protection fee to the ICO unless exempt. If you’re unsure, this explainer on ICO fee exemptions sets out the basics.

How Do I Handle Access Requests?

You have one month to respond to subject access requests in most cases. Put a simple process in place and train your team. Timings and practical steps are outlined in this guide to SAR deadlines.

Key Takeaways

• A privacy policy (privacy notice) is legally required under UK GDPR whenever you collect or use personal data - most SMEs do, even if they’re B2B.
• Your policy must explain who you are, what you collect, why and how you use it, your lawful bases, who you share it with, transfers, retention, rights and complaints.
• Pair your policy with the right supporting documents: a Data Processing Agreement for processors, a Data Sharing Agreement for controller-to-controller sharing, and a live Cookie Policy with compliant consent tools.
• Plan for data rights and retention now - responding to SARs on time and deleting data when it’s no longer needed are core compliance duties.
• Avoid generic templates that don’t reflect reality. A tailored, plain-English Privacy Policy builds trust and reduces regulatory risk.
• If you want a streamlined approach, consider a practical GDPR Package covering policies, contracts and processes suitable for SMEs.

If you’d like help drafting a compliant privacy policy and getting your privacy stack set up properly from day one, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.