Get started

Privacy Policy Requirements — What Must Be Included Under UK GDPR

guide 9 min read Updated 2026-03-23

Privacy Policy Requirements — What Must Be Included Under UK GDPR

Your privacy policy is the core compliance document under UK GDPR. It’s how you explain to people what you do with their data, why you do it, and what rights they have. A weak privacy policy is worse than no policy at all — it’s actively misleading, which violates the transparency principle.

Most UK SME privacy policies are incomplete. They’re copied from templates and updated minimally, if at all. They don’t reflect what the business actually does with data. This guide walks through the 12 requirements your privacy policy must meet and shows you how to audit your current version against each one.

Why This Matters

The ICO’s enforcement focus has shifted from marketing violations toward security failures, but a privacy policy that doesn’t accurately disclose what you do with data is still a compliance gap. If someone challenges you on what you said you’d do versus what you actually do, a deficient privacy policy is evidence against you.

More practically: customers trust businesses that are clear about data use. A well-written privacy policy signals that you’ve thought this through. A vague, template-heavy policy signals the opposite.

The 12 Requirements

1. Name Your Data Controller

Your data controller is the organisation (usually you) that decides how and why personal data is processed. Your privacy policy must clearly state:

  • Your business name
  • Your business address
  • Your contact email or phone number

What this isn’t: You don’t need to list employees or owners. You’re naming the legal entity processing the data.

Common failure: “We are a digital marketing agency” without saying which agency, where they’re based, or how to contact them.

How to fix it: Start your privacy policy with: “Name: [your business]. Address: [address]. Contact: [email].“

2. Explain What Data You Collect

Be specific. “We collect personal information” is vague. “We collect your name, email address, and phone number through our contact form, your IP address via Google Analytics, and your browsing history via our cookie” is clear.

List every type of data:

  • Direct collection: What people give you explicitly (contact form, signup, account creation)
  • Automatic collection: What your website collects without explicit action (IP address, cookie identifiers, browsing behaviour via analytics)
  • Inferred data: Any data you generate or infer (engagement scores, customer segments)

Common failure: Privacy policies that say “we collect personal data” without specifying what personal data.

How to fix it: Create a table or section listing each data type (name, email, IP address, etc.) and where it’s collected from.

3. Explain Why You Collect It

For each type of data, state the purpose:

  • “We collect your email address to send you our newsletter (with your consent)”
  • “We collect your IP address to understand which countries visit our website (legitimate interest)”
  • “We collect your name and address to deliver your order (contractual necessity)”

The “why” is your lawful basis — the legal reason you’re allowed to process the data. The common lawful bases are:

  • Consent: You asked and they said yes
  • Contract: They’re a customer and you need it to fulfil their order
  • Legal obligation: The law requires you to keep it (tax records, employment records)
  • Legitimate interest: It serves a legitimate business interest (analytics, security)
  • Vital interests: It protects someone’s health or safety
  • Public task: You’re performing a public function

Common failure: No explanation of why data is being collected. A privacy policy that doesn’t link data collection to purpose is incomplete.

How to fix it: For each data type, state the purpose and the lawful basis. “We collect email addresses with your consent to send marketing updates” is clear.

4. Disclose All Third-Party Data Sharing

Every service embedded on your site that processes personal data must be disclosed. This includes:

  • Analytics: Google Analytics, Hotjar, Mixpanel — these see what pages people visit
  • Advertising: Facebook Pixel, LinkedIn Insight Tag, Google Ads conversion tracking
  • Forms and CRM: HubSpot, Typeform, Mailchimp
  • Chat and support: Intercom, Drift, Zendesk
  • Video: Vimeo, YouTube embeds
  • Payment: Stripe, PayPal

For each third-party service, state:

  • The service name
  • What data is shared (e.g., “Google Analytics receives your IP address and pages visited”)
  • The service provider’s privacy policy link

Common failure: Services embedded on the site but not disclosed. Many SMEs use Google Analytics without mentioning it in the privacy policy.

How to fix it: Audit your website for embedded scripts. Create a list of all third-party services. Add each one to your privacy policy with a brief explanation of what data they receive.

5. State Data Retention Periods

How long do you keep each type of data before deleting it?

  • “Email enquiries via our contact form: kept for 12 months, then deleted”
  • “Email newsletter signups: kept until you unsubscribe, plus 6 months”
  • “Google Analytics data: deleted after 26 months (Google’s default)”
  • “Customer data: retained for 6 years after purchase (tax requirement), then deleted”
  • “Employee records: retained for 6 years after leaving (employment law requirement), then deleted”

Common failure: “We keep data as long as it’s needed” is vague. What’s “needed”? Without specificity, it’s non-compliant.

How to fix it: For each data type, state a specific retention period. If it’s indefinite, explain why (legal obligation, ongoing business relationship).

6. List Data Subject Rights and How to Exercise Them

People have rights under UK GDPR. You must explain what those rights are and how they can exercise them.

The core rights:

  • Access: They can ask for a copy of all their data
  • Rectification: They can correct inaccurate data
  • Erasure: They can ask you to delete their data (right to be forgotten)
  • Portability: They can ask for their data in a portable format to move to another service
  • Objection: They can object to certain types of processing (notably marketing)

For each right, state:

  • What the right means (in plain English)
  • How they exercise it (email address, form, process)

Common failure: Rights listed but no clear process for exercising them.

How to fix it: Add a section titled “Your Data Rights” explaining each right in plain English. Include a contact email address or form where people can request to exercise these rights.

7. Explain the ICO Complaints Route

Under UK GDPR, people have the right to complain to the Information Commissioner’s Office if they’re unhappy with how you handle their data.

Your privacy policy must include:

  • The fact that they can complain to the ICO
  • The ICO’s contact details (phone, email, website)

Common failure: This is rarely included, but it’s required under Article 13 of UK GDPR.

How to fix it: Add this to your privacy policy: “You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe we have not handled your data fairly. Contact: [ICO phone number], [ICO website].“

8. Disclose Automated Decision-Making

If you use any AI or automated systems to make decisions about individuals (scoring, filtering, ranking, recommendations), you must disclose this.

Examples:

  • You use a scoring system to prioritise customer enquiries
  • You use an AI tool to filter job applications
  • You recommend products based on browsing behaviour

For each automated system, state:

  • That it exists
  • How it works (in simple terms)
  • What the output is used for
  • How the person can object or request human review

Common failure: Most SMEs don’t use complex automated systems, so this often doesn’t apply. But if you do, it’s frequently not disclosed.

How to fix it: If you don’t use automated decision-making, state: “We do not use automated decision-making.” If you do, explain each system.

9. Explain International Data Transfers

If you store personal data outside the UK, state where and under what safeguards.

Examples:

  • “We use Google Analytics, which stores data in the US under Standard Contractual Clauses”
  • “We use Stripe for payments, which processes data in the US under Standard Contractual Clauses”
  • “We host our website on a UK server. No data is transferred outside the UK”

For each transfer, state:

  • Where the data goes (country)
  • Why it’s transferred (service provider location, backup, redundancy)
  • What safeguards are in place (adequacy decision, Standard Contractual Clauses, encryption)

Common failure: Many SMEs transfer data to US services without disclosing this or the safeguards in place.

How to fix it: Review where your data is stored and processed. Add disclosure to your privacy policy.

10. Include Your ICO Registration Number

Most UK organisations processing personal data must register with the ICO. Once registered, you receive a registration number. Include this in your privacy policy.

Common failure: Many SMEs haven’t registered with the ICO or don’t know they need to. If you need to register and haven’t, do this immediately (see Step 8 in the practical guide).

How to fix it: Register with the ICO at ico.org.uk/registration. Once registered, add your number to the privacy policy.

11. Explain DUAA Complaint Handling

The Data (Use and Access) Act 2026 came into force in February and changed how complaints are handled. Your privacy policy must include information about how complaints are handled under the updated DUAA framework.

Specifically, state:

  • That people can lodge complaints with the ICO
  • The ICO’s role in handling complaints
  • The timescale for ICO response (the DUAA introduces new timescales)

Common failure: Policies written before February 2026 don’t include DUAA complaint handling language.

How to fix it: Update your privacy policy to reference the DUAA framework. The ICO website has guidance on what to include.

12. Include a Date

When was this policy last updated? Out-of-date policies are non-compliant. Include the date at the top or bottom.

Common failure: Many policies have no date, or the date is stale (2018, 2020).

How to fix it: Add the date your policy was last reviewed and updated. Review it at least annually.

How to Check Your Current Policy

Go to your privacy policy and check it against this list:

  • Names your data controller with address and contact details
  • Explains all data types you collect (direct, automatic, inferred)
  • Explains why you collect each type (lawful basis)
  • Lists all third-party services that process personal data
  • States retention periods for each data type
  • Explains data subject rights (access, rectification, erasure, portability, objection)
  • Includes the process for exercising data subject rights
  • Includes ICO contact details for complaints
  • Discloses any automated decision-making
  • Explains international data transfers (if applicable)
  • Includes your ICO registration number
  • References DUAA complaint handling framework
  • Is dated and recently updated

If you’re ticking fewer than 10 of these, your policy is incomplete and needs updating.

What’s Next

Use the checklist above to audit your current policy. For each gap, update your policy to add the missing information.

If you want a detailed external audit of your privacy policy against all UK GDPR requirements, Bartram Web screens it as part of a broader website compliance check. We also provide a broader compliance checklist covering 20 items across all GDPR areas — privacy policy is just one part.

Many SMEs benefit from updating their privacy policy once, then reviewing it annually at minimum. If you process new types of data (add a new newsletter, embed a new service), update the policy immediately.

A clear, accurate, complete privacy policy isn’t just a legal requirement. It’s how you build trust with customers. It signals that you’ve thought about their data seriously.

Last updated: 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

What UK Research Tells Us About SME Privacy Policies

What authoritative UK research reveals about SME privacy policy compliance. We've compiled findings from GDPR enforcement data, the ICO, and industry surveys to show you what's working and what's broken.

Read article →

How to Make Your Website GDPR Compliant — A Practical Guide for UK SMEs

8-step guide to make your website GDPR compliant. Privacy policy, cookies, trackers, data processing, DSAR handling—everything an SME needs to know.

Read article →

How to Handle a Data Subject Access Request (DSAR)

A DSAR is a formal request for all the personal data you hold about someone. You have 30 days to respond. Here's how to build a simple process that doesn't require expensive tools.

Read article →