What Must Be in Your Privacy Policy Under GDPR

A privacy policy is not a formality — it is a legal requirement under GDPR Articles 13 and 14, and it must contain specific information written in plain, clear language. A vague or boilerplate document does not satisfy the law. This guide covers every element your privacy policy must include, with plain-English explanations of why each is required.

1. Who You Are — Controller Identity Art. 13(1)(a)

Your privacy policy must clearly state the name and contact details of the data controller — the organisation responsible for deciding how personal data is used. If you have appointed a Data Protection Officer, their contact details must be included separately.

• →Full legal name of your company or organisation
• →Registered address
• →Email address or contact form URL
• →DPO contact details, if you have appointed one (required for public authorities and some businesses)
• →If you are outside the UK/EU but process data of UK/EU residents, you must name your UK/EU representative

2. What Data You Collect and Why — Purposes Art. 13(1)(c)

You must explain every purpose for which you process personal data. Generic statements like "to improve our services" are not sufficient. Each purpose must be specific enough that the person reading it can understand exactly what you are doing with their data.

Examples of acceptable purpose descriptions:

• →To process and fulfil orders placed on our website, including sending order confirmations and shipping updates
• →To send marketing emails to customers who have opted in, using Mailchimp as our email service provider
• →To analyse website traffic using Google Analytics to understand which pages are most visited — no personal profiles are built
• →To detect and prevent fraud on our payment systems
• →To comply with our legal obligation to retain financial records for six years under the Companies Act

3. Your Legal Basis for Processing Art. 13(1)(c)

For every processing activity, you must state which of the six lawful bases under Article 6 you are relying on. This is one of the most commonly missing elements in UK SME privacy policies.

• →Consent — the individual has given clear, specific, freely given consent. Must be withdrawable at any time.
• →Contract — processing is necessary to perform a contract with the individual, or to take pre-contractual steps at their request.
• →Legal obligation — you are required by law to process the data (e.g. HMRC payroll records, right-to-work checks).
• →Vital interests — to protect someone's life in an emergency. Rarely applicable for most businesses.
• →Public task — for public authorities or organisations exercising official functions.
• →Legitimate interests — you have a genuine, proportionate reason that is not overridden by the individual's rights. Requires a Legitimate Interests Assessment (LIA).

4. Who You Share Data With Art. 13(1)(e)

You must disclose every category of recipient that receives personal data. You do not need to name every individual subprocessor, but you must be specific enough to be meaningful. "Third parties" is not acceptable on its own.

• →Payment processors (e.g. Stripe, PayPal) — for processing transactions
• →Email marketing platforms (e.g. Mailchimp, HubSpot) — for sending newsletters
• →Analytics providers (e.g. Google Analytics) — for website analytics
• →Cloud hosting providers (e.g. AWS, Vercel) — for storing data
• →Accountants or payroll providers — for financial compliance
• →Legal advisers — when necessary to obtain legal advice
• →Law enforcement or regulators — when required by law

5. Retention Periods — How Long You Keep Data Art. 13(2)(a)

You must state how long you retain each category of personal data, or the criteria used to determine retention. "As long as necessary" without further detail is not sufficient.

• →Customer transaction records — 7 years (Companies Act / HMRC requirement)
• →Marketing email list — until unsubscribe, then deleted within 30 days
• →Enquiry form submissions — 12 months from last contact, then deleted
• →Employee records — 7 years after employment ends
• →CCTV footage — 30 days, then overwritten automatically
• →Website analytics data — 26 months (Google Analytics default)

6. Your Rights — Eight Rights Under UK GDPR Art. 13(2)(b)

Your privacy policy must inform individuals of all their rights. You must also explain how to exercise them — typically by contacting your DPO or privacy email address.

• →Right of access (Article 15) — to request a copy of their data within 1 month
• →Right to rectification (Article 16) — to correct inaccurate or incomplete data
• →Right to erasure / right to be forgotten (Article 17) — to request deletion (subject to exemptions)
• →Right to restrict processing (Article 18) — to pause processing while a dispute is resolved
• →Right to data portability (Article 20) — to receive their data in a structured, machine-readable format
• →Right to object (Article 21) — to object to processing based on legitimate interests or direct marketing
• →Rights related to automated decision-making (Article 22) — not to be subject to solely automated decisions with significant effects
• →Right to withdraw consent (Article 7(3)) — at any time, without affecting the lawfulness of prior processing

7. International Transfers Art. 13(1)(f)

If you transfer personal data outside the UK or EU — including using US-based SaaS tools like Mailchimp, Salesforce, or Google Workspace — you must disclose this and explain the safeguards in place.

• →UK adequacy decisions — transfers to countries the ICO has deemed adequate (e.g. EU, EEA)
• →Standard Contractual Clauses (SCCs) — contractual safeguards between the exporter and importer
• →Binding Corporate Rules (BCRs) — for intra-group transfers within multinational companies
• →Data Privacy Framework — US-based transfers where the recipient is certified under the UK-US DPF

8. Right to Complain to the ICO Art. 13(2)(d)

You must explicitly tell people they have the right to lodge a complaint with the Information Commissioner's Office (ICO). Include the ICO's contact details or website address.

9. Automated Decision-Making Art. 13(2)(f)

If you use any automated processes to make decisions about individuals — including profiling for credit scoring, pricing, or marketing segmentation — you must describe this, explain the logic involved, and state the significance and consequences for the individual.

10. Writing Your Privacy Policy: Practical Tips

• →Use plain English — the ICO explicitly requires it. Avoid legal jargon.
• →Use a layered approach — a short summary with expandable detail for each section
• →Keep it up to date — review whenever you add a new processing activity or third-party tool
• →Version-control your policy — keep dated copies so you can prove what version was live on any given date
• →Make it easy to find — link from your footer, your sign-up forms, and your cookie banner