Knowledge Hub
for Growth

What is a Privacy Policy?

If your business processes personal data you will need a privacy policy. In this article we discuss what this means and how to stay compliant with UK GDPR.

So, what is a privacy policy?

The UK GDPR sets out seven principles, the first principle states that an organisation must process personal data lawfully, fairly and in a transparent manner in relation to individuals. Those individuals have the right to be informed about the collection and use of their personal data, and by doing so, you are being transparent under the UK GDPR.

This information is usually set out in a privacy policy which should be readily available at the time personal data is collected from an individual. It’s a document that explains in simple format why an organisation collects and processes personal data.

The ICO sets out what kind of information a compliant privacy policy should contain:

  • The name and contact details of your organisation
  • The name and contact details of your representative
  • The contact details of your data protection officer
  • The purposes of the processing
  • The lawful basis for the processing
    • consent
    • contractual obligation
    • legal obligation
    • vital interest
    • performance of a public task
    • legitimate interest
  • The categories of personal data obtained
  • The recipients or categories of recipients of the personal data
  • The details of transfers of the personal data to any third countries or international organisations
  • The retention periods for the personal data
  • The rights available to individuals in respect of the processing
  • The right to withdraw consent
  • The right to lodge a complaint with a supervisory authority
  • The source of the personal data
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data
  • The details of the existence of automated decision-making, including profiling

As well as the above, a privacy policy should also contain information on how an individual can seek recourse should an organisation fail to meet their responsibilities, as a Controller or Processor.

It’s important that a privacy policy explains to individuals how their personal data is being used in a concise, transparent, intelligible, easily accessible and in clear and plain language. Best practice when drafting a privacy policy is to have in mind if a child were to read and be able to understand it.

Our specialist data protection solicitors can assist in drafting your privacy policy that is bespoke to your organisation and ensure its compliance with the UK GDPR.

Why do companies need a privacy policy?

The message is simple, if you are processing someone’s personal data, then they have a right to know about it.

Requirement of law, safeguarding

Article 12 of the UK GDPR states organisations need to provide any information relating to processing of an individual.

Articles 13 and 14 of the UK GDPR goes onto explain what individuals have the right to be informed about.

Recital 60 further states ‘information may be provided in combination with standardised icons to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing.’ This means your privacy policy needs to inform your customers about the types of data you’re collecting from them and what you’re going to do with it. It also helps organisations from breaching data protection laws.

Third party services

If for whatever reason you need to share personal data with another organisation, then individuals need to know about this, unless there are exemptions. You need to tell the individuals why you are sharing their personal data and for what reason. There could be several, such as for sub-processing purposes or hosting purposes and the like.

Customers are interested in their privacy

The UK GDPR existence solely came about so individuals' can have control and rights over their personal data. So why wouldn’t they be interested? Everyone cares how their personal data is being used and why. Now with technology being at such an advanced level, and continuously evolving, it means the risks for identification theft are also enhanced; an inconvenience that no-one wishes to experience. Statistics show that people are more sceptical and wary about how their personal data may be compromised.

The European Data Protection Supervisor enforces the message of the GDPR, stating, ‘one of the aims of the GDPR is to empower individuals and give them control over their personal data. The GDPR has a chapter on the rights of data subjects (individuals) which includes the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and the right not to be subject to a decision based solely on automated processing.’

What activities could a privacy policy cover?

Article 4(2) of the GDPR describes ‘’processing' as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means...’

Basically, if you are doing something with someone’s personal data, then this should be clearly stipulated in the privacy policy. The definition is so wide that it is likely to cover pretty much everything you could do with data. Examples include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction'

I don’t have a business website; do I still need a privacy policy?

The easiest way to answer is; yes. If you are processing personal data, regardless of having a website for your business or not, you still need a privacy policy, and this should be provided to individuals for whom you collect personal data. Difficulties can arise where you have a walk-in business and you are collecting personal data, it becomes harder to provide individuals with the privacy policy. The best thing to do is to provide it, perhaps in a paper format at the time of collecting data.

Do all websites/apps need a privacy policy?

If you’re collecting personal data, then yes. You should make sure you check whether you’re inadvertently collecting personal data, as this can often be unclear. Websites and applications often collect data via cookies. These are unique identifiers as they can be used independently or combined with other data to identify someone. As a result, it’s considered personal data collection under the GDPR. A data mapping exercise will help identify personal data you are collecting from your users, including third parties who need to process billing information.

If this is the case, then it should be declared in your privacy policy, including links to that third party’sprivacy policy.

The Apple App Store Review Guidelines require developers to have a link to a privacy policy. Here we discuss what should be included in an app privacy policy.

Do I need a lawyer to write a privacy policy?

You don’t need a lawyer to write your privacy policy. But you may feel more comfortable in having a lawyer draft one for you. Whilst this may seem like an easy task, there is a level of sophistication that goes into creating a GDPR compliant privacy policy. There are many precedent documents out there including websites that can help you draft a privacy policy, but do you actually know what personal data you are processing and why? It’s a good idea to ensure that you’re doing exactly what you’re saying you’re doing within your privacy policy. For instance, there are many privacy policy’s out there that state personal data is being processed and goes onto list every legal basis, which of course, may not be the case. So, whilst you can draft your own, it’s always a good idea to have this checked by professionals.

We can help in mapping exactly what data you or your third parties are collecting and for what reasons and ensure this is clearly stipulated within your privacy policy. Getting this wrong can leave you open to financial penalties and reputational damage, having detrimental effects on your business long term.

What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.

Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.


To access legal support from just £145 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry