Knowledge Hub
for Growth

How to write a GDPR compliant privacy policy

Under GDPR you are obliged to give individuals information about how you use their personal data, and you must do this in a clear, jargon-free way. Your privacy policy should be designed with this in mind. A well-drafted privacy policy will go a long way toward ensuring that you obtain the fully informed consent of individuals to the processing of their data.

In this article we suggest ways in which you can ensure your organisation’s privacy policy is GDPR compliant and fit for purpose. If you're unsure about your business's current privacy practices or need help drafting a privacy policy for your business, one of our expert data protection solicitors would be glad to assist.

What is a privacy policy?

A privacy policy sets out details of the data you hold on individuals, how you use it and why you use it. It usually appears on your website or through a link from emails or other forms of correspondence sent by your organisation.

In the context of GDPR there is a greater onus on companies – as data controllers and processors – to provide information about privacy in a concise, straightforward, and transparent manner.

GDPR is all about giving individuals greater control over their personal data. Under Articles 13 and 14 of the regulations, individuals have a right to be informed about how their data is used - your privacy policy should be designed to enable your clients and customers to exercise this right.

How to make sure your privacy policy is GDPR compliant

Making sure that your policy meets all the requirements of the evolving data protection landscape means following guidance provided by the Information Commissioner and paying careful attention to the content of the regulations themselves.

A list of what information your privacy policy should contain, and the activities is could cover can be found in our guide to privacy policies.

This privacy information should be provided to the individual at the time you collect the data.

Is your privacy policy displayed clearly?

We mentioned above the emphasis GDPR places on making information about personal data clear, concise, and straightforward. Even if you provide all of the privacy information required by the rules your privacy policy won’t be truly GDPR compliant if it is not easily accessible. This means:

  • Displaying the policy prominently on your website and giving details of where it can be found on company stationery and related materials. If you intend the policy to appear on smaller mobile devices you must ensure the wording appears clearly in the reduced screen space.
  • Keeping the wording jargon-free. It should be easily understood by those with no background in data protection law and should be set out in an easily digestible way, for example with short paragraphs and clear headings.
  • Where appropriate, you can layer the delivery of the policy (for example providing a summary followed by a link to the full policy wording).

Is a privacy policy required by law?

Articles 13 and 14 of the GDPR set out the privacy information you must provide individuals when you have obtained their personal data. The articles enshrine the right to be informed which is fundamental to the whole operation of GDPR. How you provide this information is up to you – but it is certainly a legal requirement, and a data breach could lead to stringent fines and other regulatory intervention. A privacy policy is probably the most effective way to ensure you ensure protection of the right to be informed.

You should remember that a compliant and comprehensive privacy policy isn’t just in the interests of individuals. It will also benefit your organisation because it will encourage consumers to trust you with their personal information.

Why is a privacy policy important?

Implementing a GDPR compliant privacy policy means you are being honest and open with individuals about how you use their data. You are also empowering those individuals to exert control over how their data is used.

Privacy policies matter in a number of ways:

  1. The individuals whose data you are processing are normally your customers or clients. From a business perspective it’s crucial to keep them on side. Explaining how you use their data in a frank and easily digestible way will engender their trust and willingness to provide you with data – data that could be critical to the success of your business.
  2. If you process data in a way that’s not transparent you can increase the risk of misuse of the data. This could potentially lead to a data breach (and regulatory intervention) or instances of discrimination or prejudice that could leave your organisation exposed to damaging legal claims. Both regulatory intervention and legal action could significantly harm your commercial reputation.
  3. The exercise of drafting and keeping a privacy policy under review will help you deal with GDPR compliance more broadly. The background work required for an effective privacy policy – data audits for example – will force you to assess and question the way your organisation handles the data it holds.

You can find answers to common queries around compliance in B2B and B2C contracts, marketing and sales processes in our business guide to GDPR compliance.

Can’t you just copy someone else’s privacy policy?

There is certainly a temptation with certain areas of GDPR compliance, including the provision of privacy information to use online templates or simply copy the policy of another organisation. While it may be possible to use a template privacy policy if you are engaged in only basic, low volume transactions we wouldn’t encourage their use in most cases. Here’s why:

  • An effective privacy policy requires careful thought - only you know what information you are processing and the type of individual whose data you are collecting.
  • You will probably have to carry out some form of data audit before finalising your privacy policy to determine how you use the data you hold, how long you hold onto it and who you share it with. Only with these details can you sensibly frame your privacy policy.
  • The data audit should also address issues such as the lawful basis you rely on for processing the data and what rights individuals have in relation to the type of data you hold. Again these details will inform you policy in a way that a template or copied policy won’t be able to.

What next?

Our data protection solicitors can offer practical advice on how to approach privacy policies and draft tailor-made policies for your organisation. For more advice on GDPR call us on 0800 689 1700, email us at or fill out the short form below with your enquiry.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry