Privacy Policy (UK GDPR + EU GDPR): What You Need and What Must Be In It

What this policy is

A privacy policy (often labelled “privacy notice” when it faces data subjects) is the primary mechanism by which a controller satisfies the transparency principle in Article 5(1)(a) of the UK GDPR. Articles 13 and 14 set out a closed list of information the controller must provide: Article 13 when personal data is collected directly from the subject, Article 14 when it is obtained from elsewhere. The DPA 2018 supplements these provisions in UK domestic law; Part 3 of the Act layers additional transparency duties for law-enforcement processing and Part 4 does the same for intelligence services, but for the vast majority of controllers, Articles 13 and 14 of the UK GDPR are the operative instrument.

The policy governs three things at once. First, it is a legal document: if it fails to cover the Article 13/14 mandatory elements, the controller is in breach regardless of whether anyone has complained. Second, it is a contract-adjacent representation: the statements it makes (for example, that data is never sold to third parties) are enforceable by the ICO and, through the tort of misuse of private information, potentially by individuals in civil proceedings. Third, it is the reference document staff use when answering access requests and regulator correspondence; if the ROPA says one thing and the privacy policy says another, the controller has an internal accountability problem.

It matters because the transparency duty is where ICO enforcement begins. The regulator's public enforcement log shows that inadequate or absent privacy information is the most frequently cited failing in reprimands issued since 2023. Getting this document right is low-cost, high-leverage compliance work.

Who needs one

Any organisation that processes personal data as a controller or joint controller needs a privacy policy. The UK GDPR, like the EU GDPR, applies regardless of the size of the organisation — there is no SME exemption for transparency. Specifically, the obligation attaches to:

• UK-established controllers processing personal data in the context of that establishment's activities (UK GDPR Art 3(1)), whether the subjects are UK-resident or not.
• Non-UK controllers offering goods or services to individuals in the UK, or monitoring behaviour of individuals in the UK (Art 3(2)). These controllers must also appoint a UK representative under Art 27 unless the processing is occasional and low-risk.
• Employers processing staff personal data — this commonly requires a separate staff-facing privacy notice because the purposes (payroll, HR, performance management) and lawful bases (contract, legal obligation, legitimate interest) differ materially from the customer-facing notice.
• Processors do not publish a privacy policy in their own right but must pass through the controller's transparency obligations; their duty is to the controller via the Article 28 data processing agreement.
• Charities and public authorities are covered identically, with the nuance that public authorities cannot rely on legitimate interest for their public-task processing (Art 6(1)(e) and Recital 47) — a distinction the policy must reflect.

What must be in it

Article 13 (data collected from the subject) and Article 14 (data obtained otherwise) list twelve information elements between them. If the organisation collects some data directly and some from third parties — the typical pattern — the policy must cover the union of both lists.

1. Identity and contact details of the controller — full legal name, registered number, address, and a working contact point. Trading names should be clearly associated with the registered entity. For joint controllers (Art 26), state the essence of the arrangement and the single point of contact for rights requests.
2. Data Protection Officer (DPO) contact, where one is appointed — either because the organisation is a public authority, conducts large-scale systematic monitoring, or processes large volumes of special category or criminal offence data (Art 37). The DPO contact must be reachable by subjects; a shared inbox monitored by the DPO suffices.
3. Purposes of processing — each distinct purpose must be spelled out (service delivery, marketing, fraud prevention, product analytics). Generic language such as “improving our services” fails because it tells the subject nothing actionable.
4. Lawful basis for each purpose under Article 6(1): consent, contract, legal obligation, vital interests, public task, or legitimate interests. Where special category data is processed, also the Article 9(2) condition and, for criminal offence data in the UK, the Schedule 1 DPA 2018 condition.
5. Legitimate interests relied on — where Art 6(1)(f) is the basis, name the specific interest (e.g. “preventing fraudulent account creation”, “direct marketing to existing customers”) so the subject can meaningfully object under Article 21. A bare assertion of “our legitimate interests” is insufficient; the ICO's LIA guidance is explicit on this.
6. Categories of personal data processed — only required under Article 14 (data obtained from a third party) but best practice to include under Article 13 as well because it supports the data-minimisation principle.
7. Recipients or categories of recipients — named processors where practicable (hosting providers, CRM, payment processors) or categories where volumes make naming impracticable. Sub-processors should be described at least categorically.
8. International transfers and the safeguard relied on — adequacy decision (list the country), UK IDTA, EU SCCs plus the UK Addendum, Binding Corporate Rules, or a derogation under Article 49. Mention how subjects can obtain a copy of the safeguard.
9. Retention periods — a specific period for each data category or, where that is genuinely impossible, the criteria used to determine it. “As long as necessary” on its own fails the specificity test. See the companion Data Retention Policy guide for defensible schedules.
10. Data subject rights — access, rectification, erasure, restriction, portability, objection, and (where processing is consent-based) the right to withdraw consent without prejudice. Explain how each is exercised.
11. Right to lodge a complaint with the ICO (and, for EU-facing processing, the relevant EU supervisory authority). Include the ICO's contact details; Article 13(2)(d) requires it.
12. Source of data where not obtained from the subject — required by Article 14(2)(f). Name the source or the category of source (e.g. “publicly accessible Companies House filings”, “data brokers in our enrichment supply chain”).
13. Automated decision-making and profiling with legal or similarly significant effects — disclose the logic involved, the significance, and the envisaged consequences (Art 22). This is the clause that catches out credit-scoring, insurance-underwriting and AI-driven hiring.

In addition, where consent is the lawful basis, the policy should explain how to withdraw it and confirm that withdrawal does not affect prior lawful processing. Where children's data is processed on the basis of consent in the Information Society Service context, the UK age of digital consent is 13 (Art 8 DPA 2018 modification), which should be stated.

Common pitfalls

1. Hiding the lawful basis behind generic language

Writing “we process your data based on our legitimate interests and applicable law” is not a lawful basis statement. Each purpose needs its own basis, and legitimate interests need the specific interest identified. The ICO has repeatedly reprimanded controllers for this.

2. Listing every possible recipient instead of the actual ones

A common lawyer-drafted notice includes phrases like “we may share your data with insurers, auditors, professional advisers, and any other party we consider appropriate”. The Article 13(1)(e) duty is to disclose actual recipients or categories thereof — not a fictitious universe. If you have never shared data with an insurer, do not list insurers.

3. Omitting the transfer safeguard

Merely stating “your data may be transferred internationally” is insufficient. The safeguard relied on (UK IDTA, adequacy, SCCs plus Addendum, BCR, or Art 49 derogation) must be named, along with a means of obtaining a copy. This single omission is one of the most reliable markers of a non-compliant notice.

4. Using an indefinite retention period

“We retain data for as long as necessary to fulfil the purposes set out in this notice” provides the subject with no information. Either state the period or the criteria by reference to statute (e.g. “for six years after the end of the tax year in which the transaction occurred, per Section 386 Companies Act 2006”).

5. Not updating the notice when processing changes

A new payments provider, a new analytics tool, or a new AI feature all change either the recipients or the purposes. If the notice does not change, the representation to the subject has become false.

6. Failing to mirror employee and customer notices

Most organisations need two (or more) notices: one for customers or website visitors, one for staff, one for applicants. The purposes and lawful bases diverge sharply. A single “one size fits all” notice fails to address any audience specifically and is hard to defend on accountability.

7. Forgetting the Article 22 automated-decision disclosure

If the organisation uses algorithmic scoring, credit decisions, fraud-detection models, or AI in hiring, Article 22 applies. The notice must describe the logic involved — at a level meaningful to a lay reader — the significance, and the envisaged consequences. Omitting this is a growing source of ICO attention as AI adoption rises.

Framework mapping

The same privacy notice typically satisfies multiple framework obligations, provided each element is present.

Privacy notice requirements across regulations

Framework	Reference	What it requires
UK GDPR	Articles 13 & 14	Twelve transparency elements listed in §3 above; Art 13 for first-party collection, Art 14 for indirect.
EU GDPR	Articles 13 & 14	Materially identical to UK GDPR; EU supervisory authority must be named as complaint route for EU-facing processing.
Data Protection Act 2018	Sections 14, 44 & 47	UK-specific modifications including the age of digital consent (13) and law-enforcement transparency duties.
ICO “Right to be informed”	Accountability framework	Regulator's guidance on concise, transparent, intelligible and easily accessible notice drafting.
ISO/IEC 27001:2022	Annex A.5.34	Privacy and protection of personally identifiable information — requires the policy as evidence of the PII protection control.
ISO/IEC 27701:2019	Clauses 7.3.2 & 8.3.1	Privacy notice to PII principals (for controllers) and notification through controllers (for processors).

How it fits with other policies

• Data Retention Policy — the retention periods published externally must match the internal schedule. Mismatches are the commonest accountability failure at audit.
• DSAR Procedure — the rights description in the notice promises a process that the DSAR procedure must actually deliver within one calendar month.
• Cookie Policy — governs the PECR-based consent for non-essential cookies; usually a companion document rather than a section of the main notice.
• Incident Response Plan — the policy commits the controller to notify the ICO within 72 hours and subjects where high risk; the IR plan is how that commitment is operationalised.
• Records of Processing Activities (ROPA) — internal Article 30 record that must be consistent with the external notice on purposes, categories, recipients and transfers.
• Marketing Consent Policy — where consent is relied on under PECR for electronic marketing, this operational policy must reflect the withdrawal route stated in the privacy notice.

Frequently asked questions

Is a privacy policy the same as a privacy notice?

In everyday use the terms are used interchangeably, but strictly the ICO distinguishes them. A privacy notice is the outward-facing document you publish to data subjects (website visitors, customers, employees) to satisfy the transparency duties in Articles 13 and 14. A privacy policy is sometimes used internally to describe the organisation's own data-handling rules. Most SMEs publish a single document that serves both purposes. What matters is that the document given to data subjects contains every element Articles 13 and 14 require.

Does my small business really need one if we only use a contact form?

Yes. Article 13 of the UK GDPR applies whenever personal data is collected from the subject, regardless of organisation size. A contact form collecting a name and email address triggers the obligation. There is no small-business exemption in the UK GDPR or EU GDPR. The Data Protection Act 2018 exempts certain personal household processing but not business activity.

How often should we review our privacy policy?

At least annually, and whenever your processing changes materially (new lawful basis, new category of data, new supplier, new international transfer, or a new product feature). The ICO does not prescribe a frequency, but Accountability under Article 5(2) requires you to demonstrate ongoing compliance, and a stale policy is evidence to the contrary. Many organisations review in January alongside the ROPA.

Do we need separate policies for UK GDPR and EU GDPR?

Usually not. The two regimes diverged on 1 January 2021 but the Article 13/14 transparency duties remain virtually identical. A single combined notice works if it names both the ICO and the relevant EU supervisory authority as complaint routes, describes the UK representative (if you are an EU-only controller reaching UK subjects) or EU representative (if vice versa) under Article 27, and references the UK IDTA as well as EU SCCs for transfers. Diverge into two documents only if your UK and EU-facing businesses are materially different.

What happens if the policy is incomplete?

The ICO's public enforcement register shows that missing or inadequate transparency information is one of the most common regulatory findings. Remedies range from reprimands (most common for first offences) through enforcement notices to monetary penalties under Section 155 of the Data Protection Act 2018. The maximum fine is the higher of GBP 17.5 million or 4% of global annual turnover. In practice, deliberate concealment attracts fines; honest omissions usually attract reprimands with remedial deadlines.

Related guides