Knowledge Hub
for Growth


Do I need a privacy policy?

If your business processes personal data, having a privacy policy isn’t optional – it’s a legal obligation under UK GDPR and a key part of building trust with your customers. Whether you're collecting customer emails through an online enquiry form, noting names and phone numbers over the phone, or receiving feedback in person, every interaction that involves personal data must be handled transparently and lawfully.

We regularly hear from businesses that launched quickly and now need to backfill essential policies, or from founders preparing for investor due diligence who realise their documentation is out of step with how they handle data. In each case, a clear, accurate privacy policy helps avoid regulatory scrutiny, protects your reputation, and gives stakeholders confidence in your compliance.

You’ll find out what your privacy policy needs to include, how to align it with your data practices, and when to seek legal advice. If you’re unsure how the rules apply to your business or need help drafting a privacy policy that’s both compliant and practical, our data protection solicitors can help. We work closely with you to ensure that your documentation accurately reflects your operations and supports your broader business objectives.

What is a privacy policy?

A privacy policy is a document that explains how your business collects, uses, stores, and shares personal information. Under UK GDPR, if you act as a data controller, you must provide individuals with detailed, transparent information about your data practices. This is usually done through a privacy notice, commonly published on your website or app, which outlines:

  • What personal data you collect (e.g., names, emails, phone numbers, IP addresses)
  • Why you collect it and how you use it (including sources, such as third parties)
  • How long you keep the data
  • Who you share it with, and why
  • Whether data is transferred outside the UK and how it’s protected
  • The lawful basis for each processing activity
  • Contact details for your Data Protection Officer (if appointed)
  • Whether you use automated decision-making or profiling, and its impact
  • What rights individuals have (access, correction, deletion, objection, complaint to the ICO)
  • How you keep data secure

A generic or outdated privacy policy can expose your business to risk. Your policy must accurately reflect your real-world data practices, be written in plain language, and be updated whenever your processes change. The ICO’s guidance on what to include in your privacy notice offers a helpful checklist to help you ensure your policy is both compliant and practical. If children use your services, you must make your policy especially clear and accessible using icons or interactive elements as needed – see the ICO’s guidance on children and the UK GDPR for best practices.

Why does my business need a privacy policy?

If you decide how personal data is processed, you are legally required to provide transparency. A clear, compliant privacy policy not only helps you meet your obligations but also reassures customers that you respect their privacy. Failing to do so can damage your reputation and lead to complaints or regulatory action.

Do all websites and apps need a privacy policy?

Yes. If your website or app collects any personal data (even via cookies or contact forms), you must explain your data processing to users. Publishing a privacy policy is the most practical way to do this. Conducting a data mapping exercise can help you understand what data you collect and ensure your policy is accurate for each collection point. If you distribute apps via app stores, follow their specific privacy policy requirements.

What if my business doesn’t have a website?

You still need to comply with UK GDPR if you process personal data as a controller, regardless of whether you operate online. For example:

  • If you collect customer data over the phone, explain your data practices verbally and provide information on where to find your privacy policy. Document that you’ve given this notice.
  • If you collect data by email, include a link to your privacy policy in your communications.
  • If you collect data in person, provide a printed notice or explain your data practices verbally before collecting information.

Balancing legal requirements with practical business realities can be complex – seek legal advice for the best approach.

Should a lawyer draft my privacy policy?

While it’s not mandatory to use a solicitor, it’s a wise investment, especially if your data collection is complex or varied. A legal expert can help you:

  • Identify what kind of privacy policies you need for different audiences (customers, staff, job applicants).
  • Ensure your documentation is compliant and up-to-date.
  • Adapt your policies as your business or legal requirements change.

A non-compliant privacy policy can violate data protection laws and result in severe consequences.

What should I do next?

Making sure your privacy policy is both legally sound and fit for purpose is more than a tick-box exercise. It’s a crucial step in protecting your business, demonstrating accountability, and avoiding costly missteps. Whether you’re launching a new service, adjusting how you collect customer data, or expanding into new markets, your privacy policy should evolve with your business.

If you want peace of mind that your policy is tailored, up to date, and futureproofed, our data protection solicitors can help you build a solid compliance foundation – so you can stay focused on growth while we take care of the legal detail.

About our expert

Lillian Tsang MBA

Lillian Tsang MBA

Senior Data Protection and Privacy Solicitor
Lillian is an experienced data protection and privacy lawyer who qualified in 2008. She advises clients on a broad range of matters - from strategic compliance with a global stance to day-to-day operations. Her role also includes Harper James' Head of DPOaaS division (Data Protection Officer as a Service), where we act as the external DPO for a business or provide support to existing DPOs.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Belsyre Court, 57 Woodstock Road, Oxford, OX2 6HJ
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £149 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry