1-2 hoursMedium

How to Write a Privacy Policy

Write a privacy policy by identifying what personal data you collect, your lawful basis for processing, how long you retain it, who you share it with, and how individuals can exercise their data subject rights under UK GDPR.

Last updated: February 2025

Step-by-Step Guide

1

Audit your data processing activities

Map out what personal data you collect, where it comes from, why you process it, and who receives it.

Tips
  • Include data from website cookies, contact forms, email marketing, and employee records.
2

Identify your lawful bases

For each processing activity, determine the lawful basis under Article 6 of UK GDPR (consent, contract, legal obligation, legitimate interests, etc.).

Tips
  • Do not default to consent for everything; legitimate interests or contractual necessity may be more appropriate.
3

Draft the privacy policy content

Include your identity and contact details, DPO details if applicable, data processing purposes, lawful bases, recipients, international transfers, retention periods, and data subject rights.

Tips
  • Write in clear, plain language. Avoid legal jargon.
  • Use layered notices for complex processing.
4

Publish and maintain the policy

Make the policy easily accessible on your website footer and at points of data collection. Review and update it whenever processing activities change.

Tips
  • Date the policy and keep an archive of previous versions.

Legal Requirements

Articles 13 and 14 of UK GDPR specify the information that must be provided to data subjects. The policy must be concise, transparent, intelligible, and easily accessible. The ICO (Information Commissioner's Office) provides detailed guidance on what to include.

Common Mistakes

Using a generic template without tailoring it to your actual data processing
Listing consent as the lawful basis when legitimate interests would be more appropriate
Not updating the policy when new data processing activities are introduced

Template / Example

Privacy Policy of [Company Name]. Last updated: [Date]. We collect your name, email address, and payment details to provide our services. Lawful basis: performance of a contract. We retain your data for [X] years. You have the right to access, rectify, or delete your personal data.

When to Get a Solicitor

If you process sensitive (special category) data, make automated decisions about individuals, transfer data internationally, or are unsure about your lawful bases.

FAQ

Is a privacy policy legally required in the UK?

Yes. Under UK GDPR and the Data Protection Act 2018, any organisation that processes personal data must provide a privacy notice to data subjects explaining how their data is used.

What happens if my privacy policy is not GDPR compliant?

The ICO can issue enforcement notices and fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. Non-compliance also undermines customer trust.

Related Guides

How to Add GDPR Clauses to Contracts

1-2 hoursMedium

How to Create a Data Processing Agreement

1-2 hoursMedium

Let AccountsOS handle this for you

Our AI generates UK-compliant contracts and guides you through every step. From £10/month.

Get Started Free

This is guidance, not legal advice. Consult a solicitor for complex matters.

View all how-to guides