If your business acts as a data controller (meaning you decide why and how personal data is used), you will need to provide privacy information to individuals to meet UK GDPR transparency requirements and to build trust with individuals, such as customers and staff. This is commonly done through providing a privacy notice or privacy policy.
This includes telling people about how and why you use their data around everyday activities such as collecting customer emails via an enquiry form, taking names and phone numbers, or using analytics and marketing tools on your website or app.
We often see the need for a privacy notice come up when a business has launched quickly and needs to implement a notice in line with actual data use practices, or when founders are preparing for investor due diligence and realise their privacy notice documentation doesn’t match how data is actually handled day to day.
A clear, accurate privacy notice helps show compliance and accountability, reduce regulatory risk, protect your reputation, and can also help reduce friction and present a positive and data responsible image during enterprise procurement and with key stakeholders.
This article gives examples of what your privacy notice should cover, how to align it with your data practices, and when it’s worth getting legal input.
If you’re unsure how the rules apply to your business or need help drafting a privacy policy that’s both compliant and practical, our data protection solicitors can help.
Jump to:
What is a privacy policy?
A privacy policy (also known as a privacy notice) is a document that explains how your business collects, uses, stores and shares personal information.
Under UK GDPR, if you act as a data controller, you must provide individuals with clear and transparent information at the point you collect their data, and also within strict timeframes when you obtain their data from another source.
This is commonly published on a website or in-app so visible at the point data is collected (e.g. next to contact us or sign-up boxes) and typically covers:
- who you are ( i.e. the identity of the responsible data controller and its full legal name) and how to contact you or your UK representative if relevant
- what personal data you collect (eg names, emails, phone numbers, IP addresses) and where relevant, the source of that data eg if you picked it up from third parties, public sources or via automatic technologies like cookies or analytics
- clear information about any special categories of data you process and why e.g. health data
- why you collect it and how you use it - clearly indicating each processing purpose
- the lawful basis for each processing activity (and, where relevant, your legitimate interests)
- who you share it with, and why
- how long you keep the data where possible (or how you decide retention periods)
- whether data is transferred outside the UK and how it’s legally protected
- contact details for your data protection officer (if you’re required to appoint one, or you’ve chosen to appoint one)
- whether people can withdraw consent (where you rely on consent)
- what rights individuals have (eg access, correction, deletion, objection, complaint to the ICO and portability)
- whether providing the data is a legal or contractual requirement, and what happens if they don’t provide it
- whether you use solely automated decision-making or profiling, and (at a high level) what that means for the person
- information about how you keep data secure (at a high level)
A generic or outdated privacy notice can create risk - particularly if it doesn’t reflect what your business actually does with data in practice, or if it hasn’t kept pace with product, marketing or supplier changes which impact how you use personal data. The ICO’s guidance on what to include in your privacy notice offers a helpful checklist to help you ensure your policy is both compliant and practical.
However, you need to tailor your notice correctly and think carefully about your audience. If you process data about children, you’ll need to ensure the document has clear and age-appropriate language.
Why does my business need a privacy policy?
If your business decides how personal data is processed, you have transparency obligations under UK GDPR. This means you need to tell individuals why you use their personal data.
Beyond compliance, a good privacy notice reassures customers and can support smoother onboarding with larger clients (who often ask data protection questions as part of procurement). Failing to provide clear information can lead to complaints, reputational damage and, in some cases, regulatory attention or action.
Does my website or app need a privacy policy?
In practice, most websites and apps will need to provide privacy information, because even basic features can involve personal data, for example enquiry forms, account creation, analytics, or marketing and cookie-related tracking which collect personal data. The key point is that users should be able to understand what data is collected about them, why, and who it’s shared with, in a clear and accessible way.
What if my business doesn’t have a website?
You may still need to provide privacy information if you process personal data as a controller, even if you operate offline (for example by phone, email or in person). The practical approach is usually to ensure individuals are signposted to a privacy notice covering all required details (or given a short-form version) at the point you collect their data, in a way that fits your customer journey and the channels you use.
What makes a good privacy policy?
For growing businesses, a privacy notice is most effective when it is:
- accurate (it matches your real data collection processes, systems and suppliers)
- usable (written in plain English and easy to find at the right moments as required by the law)
- complete enough for scrutiny (it stands up to investor diligence and enterprise procurement questions without becoming unreadable)
- maintained (reviewed when the business use of personal data use changes, not just once a year as a tick-box exercise)
When should you update your privacy notice?
You should review your privacy notice whenever there is a change to how you collect or use personal data, for example:
- launching a new product feature or customer journey
- adding new marketing tools, analytics, or customer support systems
- changing key suppliers who process personal data on your behalf
- expanding into new markets or introducing international data flows
- preparing for funding, M&A, or a major enterprise customer onboarding
- when there are changes in legal rules which impact your processing, such as the new Data (Use and Access) Act 2025
Remember to communicate changes to your privacy policy in a clear and prominent way e.g. by sending a clear email notification or in-app notification.
Legal support is particularly helpful if you:
- need different notices for different audiences (customers, staff, job applicants)
- are dealing with higher-risk processing (for example sensitive data, children’s data, or profiling)
- have international elements (customers, suppliers, group companies or data flows)
- are under time pressure and need an urgent review e.g. for due diligence, procurement, or a new website or app launch
What should I do next?
A privacy notice is more than a compliance document; it’s part of how you demonstrate accountability and reduce avoidable friction and risk as you scale. If you’re launching a new service, changing how you collect customer data, or preparing for investment, check that your privacy notice is accurate and legally sound, coherent and aligned with how the business actually uses personal information.
If you want peace of mind that your policy is tailored, up to date, and futureproofed, our data protection solicitors can help, allowing you can stay focused on growth while we take care of the legal detail.
