Privacy Policy Template for UK Businesses

Q: What must a UK privacy policy include?

Under UK GDPR a privacy policy must include your identity and contact details, what personal data you collect, the legal basis for processing, retention periods, third-party sharing, data subject rights, ICO complaint rights, and whether data is transferred outside the UK.

A privacy policy is a legal requirement for any UK business that collects personal data — including via a website, booking form, or customer records. Get one tailored to your specific business in minutes.

Get Privacy Policy — £15 Get all 6 documents — £39

Instant PDF & Word download · 14-day money-back guarantee

What is a privacy policy?

A privacy policy (also called a privacy notice) is a document that tells individuals how your business collects, uses, stores, and shares their personal data. Under the UK GDPR and Data Protection Act 2018, you must provide this information to anyone whose data you hold.

If you have a website with a contact form, take bookings, collect customer emails, or keep records of any kind, you need a privacy policy. The ICO can issue fines of up to £17.5 million or 4% of global turnover for serious breaches.

What your UK privacy policy must cover

Your identity and contact details as the data controller
What personal data you collect and how
The legal basis for processing (consent, contract, legitimate interests, etc.)
How long you retain data
Whether you share data with third parties
Data subject rights (access, erasure, portability, objection)
The right to complain to the ICO
Whether data is transferred outside the UK

Get your privacy policy today

£15

Single document

Get this document

£39

6 core compliance documents

Essentials plan

Get all 6 documents

£69

10 docs incl. Cookie Policy & SAR procedure

Professional plan

Get all 10 documents

Common questions about privacy policies

Is a privacy policy a legal requirement in the UK?

Yes. Under Articles 13 and 14 of the UK GDPR, businesses must provide individuals with a privacy notice when collecting their personal data. If you have a website or collect customer details in any form, a publicly accessible privacy policy is a legal requirement.

What must a UK privacy policy include?

Under UK GDPR, a privacy policy must include your identity and contact details, what personal data you collect, the legal basis for processing, how long you retain data, whether you share data with third parties, data subject rights, the right to complain to the ICO, and whether data is transferred outside the UK.

Do I need a privacy policy if I don't have a website?

Possibly yes. If you collect personal data in any form — customer names, email addresses, phone numbers, payment details — you must provide a privacy notice under UK GDPR. Without a website you can provide this as a printed notice or via email, but you still need a policy document.

Can I use a free privacy policy template?

Free generic templates are risky because they are not tailored to your specific business. A privacy policy must accurately describe what data you actually collect and why. Using a template that doesn’t reflect your actual practices could itself be a GDPR violation. Our policies are generated specifically for your business.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy