Privacy Policy Template UK: Complete Drafting Guide (2026)

A privacy policy is not a decoration. It is a statutory document. Under UK GDPR and Data Protection Act 2018, any organisation that processes personal data must tell data subjects, in clear language, exactly what it does with that data and why. Get it wrong and you face ICO enforcement, civil claims, and loss of customer trust.

When Do You Need a Privacy Policy?

If you process personal data of any living UK individual, you need a privacy policy. Articles 13 and 14 UK GDPR apply whenever you collect data directly or indirectly.

Triggers: website with cookies/analytics, payments, mailing list, employees, CCTV, contact forms, social media ads, supplier contacts, sharing with processors.

What It Involves

Public-facing notice satisfying Articles 12–14 transparency obligations. Not the same as internal Record of Processing (Article 30), DPIA (Article 35), or employee privacy notice. Must be concise, transparent, intelligible, accessible, plain language. Children’s data: understandable by a child.

Costs

No fee to publish. ICO data protection fee annually unless exempt. 2026 tiers: Tier 1 micro £52, Tier 2 SME £78, Tier 3 large £3,763.

How to Draft — Step by Step

1. Identify Controller (and DPO if required)

Full legal name, trading name, company number, registered address, contact email. Joint controller: describe arrangement. DPO required under Article 37: public authorities, core activities involve regular systematic large-scale monitoring, or large-scale special category processing.

2. Categories of Personal Data

Identity (name, title, DOB), contact (email, address, phone), technical (IP, browser, device), usage (pages, duration), marketing (preferences), transaction (purchases, payment metadata), special category if applicable. Be specific.

3. Purposes

For each category, why you process. Specific, explicit, legitimate (Article 5(1)(b)). Common: fulfilling contracts, payments, account administration, support, marketing, analytics, compliance, fraud prevention.

4. Legal Basis (Article 6)

• Consent — freely given, specific, informed, unambiguous, withdrawable
• Contract — necessary to perform contract with data subject
• Legal obligation — UK statutory duty
• Vital interests — protect someone’s life
• Public task — public authorities only
• Legitimate interests — balanced via LIA

State basis against each purpose.

5. Special Category Data (Article 9)

Health, race, political, religious, trade union, genetic, biometric, sex life, sexual orientation. Needs Article 6 basis AND Article 9 condition. Criminal offence data under Article 10: DPA 2018 Schedule 1 bases.

6. Recipients and Processors

Categories of recipients — payment processors, email providers, cloud hosts, analytics, professional advisers, regulators, law enforcement on lawful request.

7. International Transfers

If data leaves UK: state where, transfer mechanism. Adequacy decisions, UK IDTA, UK Addendum to EU SCCs, BCRs, UK Extension to EU-US DPF. Carry out Transfer Risk Assessment.

8. Retention Periods

How long each category kept or criteria. “As long as necessary” alone insufficient. HMRC records 6 years, employment records 6 years, marketing until withdrawn, CCTV 30 days, contracts 6 years under Limitation Act 1980.

9. Data Subject Rights

• Right of access (Article 15) — SAR
• Rectification (Article 16)
• Erasure (Article 17)
• Restriction (Article 18)
• Portability (Article 20)
• Object (Article 21) — absolute for direct marketing
• Automated decision-making (Article 22)
• Withdraw consent (Article 7(3))
• Complain to ICO

10. Exercising Rights

How to exercise, to whom, timeframe. Default: 1 calendar month. Extendable by 2 months for complex/numerous with notice in first month. Proportionate ID verification permitted.

11. Cookies (PECR 2003)

Strictly necessary: no consent. Analytics, functional, marketing: prior informed consent via compliant banner. Pre-ticked boxes not consent. Link to cookie policy or include schedule listing cookie, provider, purpose, duration.

12. Children’s Data

Article 8 UK GDPR: minimum age for consent is 13 in UK. Parental consent below. Age Appropriate Design Code (15 standards). Adult audience: say so, do not collect children’s data.

13. Breach Notification

Article 33: 72 hours to ICO from awareness where risk to rights/freedoms. Article 34: without undue delay to data subjects where high risk. Keep breach log even for non-notifiable.

14. Right to Complain and Version Control

ICO (Wycliffe House, Water Lane, Wilmslow SK9 5AF; 0303 123 1113). Encourage raising with you first. Version number, “last updated” date, how material changes communicated.

Key Deadlines

• Breach to ICO: 72 hours from awareness
• Breach to data subjects: without undue delay if high risk
• Rights requests: 1 month, extendable by 2 months
• ICO fee: annually on anniversary
• Policy review: at least annually
• Compensation claims: 6 years under Limitation Act 1980; 1 year for misuse of private information

What Happens After You Publish

Publication starts the duty, not ends it. Keep policy accurate — outdated policy is worse than none. Flag review date. Material changes: update + communicate; silent edits not transparent.

Read by: regulators on complaint, procurement teams, journalists on breach, claimants’ solicitors. Write as if each will read it with a red pen.

Common Mistakes

• Copy-paste from competitor — ICO spots templates
• Single legal basis across everything
• Vague retention without criteria
• Silent international transfers
• No cookie schedule
• Forgetting employees need separate privacy notice
• Missing ICO fee
• Never updating — 2019 policy citing EU GDPR tells regulator you stopped caring

The Rules That Apply

• UK GDPR — retained EU regulation as amended
• Data Protection Act 2018 — Schedules 1, 2, Part 3
• PECR 2003 — cookies, electronic marketing
• Age Appropriate Design Code 2020
• ICO enforcement — monetary penalties up to £17.5 million or 4% global turnover

How Chris Can Help

Chris drafts to ICO’s transparency standard. You tell Chris about your business — what you sell, tools, storage, processors — Chris produces section-by-section policy with correct Article 6 bases mapped to purposes, cookie schedule, transfer disclosures, plain-English rights.

Chris does not give legal advice. You remain controller. Unusual business (health data, children, multi-jurisdictional): Hybrid (£1,000) adds reviewer sign-off.

7-day money-back guarantee. We refund. We are miracle-makers, not miracle-workers.

Subscribe: Email hello@elitigant.com with subject line “Application update” and say hello with your given name.

FAQ

Do I need one if sole trader?

Yes, if you process any personal data. UK GDPR applies regardless of structure.

Copy competitor policy?

No. Their processing not yours. Regulator notices within minutes.

Privacy policy vs cookie policy?

Privacy policy covers all processing. Cookie policy specifically for cookies under PECR 2003. Combined or separate, both published.

SAR response time?

1 calendar month. Extendable by 2 months for complex with notice in first month.

Non-compliance fines?

Up to £17.5 million or 4% global turnover, whichever higher. Lower tier: £8.7 million or 2%. Most enforcement starts with information notices and reprimands.

Need a DPO?

Only if public authority, core activities = large-scale regular systematic monitoring, or large-scale special category/criminal offence processing.

Legitimate interests for marketing?

Existing customers by post or similar products by email under soft opt-in (PECR 22(3)): yes with easy opt-out. Cold B2C electronic: consent required. Run documented LIA.

If I have a data breach?

Contain, assess risk, notify ICO within 72 hours if risk to rights/freedoms. If high risk: notify affected data subjects without undue delay. Log every breach internally.