Do you need a privacy policy in the UK?
Updated 3 July 2026 · Policy Mind guides
If your business handles any personal data — customer names, emails, delivery addresses, staff records, CCTV footage — then yes. UK GDPR and the Data Protection Act 2018 require you to tell people, clearly and up front, what you do with their data. There is no small-business exemption.
Privacy notice vs privacy policy
People use "privacy policy" loosely for two different documents:
- A privacy notice — the public-facing page that tells customers, visitors and staff what you collect and why. This is the legally required transparency document.
- A data protection policy — an internal document setting out how your team handles data day to day. Not always mandatory, but expected in any business that handles meaningful volumes of data, and it's how you evidence "accountability" under UK GDPR.
What your privacy notice must cover
UK GDPR is specific about the minimum contents. In plain English:
- Who you are and how to contact you.
- What personal data you collect, and what you use it for.
- Your lawful basis for each use (consent, contract, legal obligation, legitimate interests…).
- Who you share it with — including processors like your email or payments provider.
- Whether it leaves the UK, and what safeguards apply if so.
- How long you keep it.
- People's rights — access, correction, erasure, objection — and how to use them.
- The right to complain to the ICO (the UK regulator).
Don't forget the ICO fee and cookies
Most UK organisations that process personal data must also pay the ICO's data protection fee unless exempt — it's a legal requirement separate from your documents, and the ICO does issue fines for not paying. And if your website sets cookies or trackers, PECR requires a cookie notice and consent before non-essential cookies fire — that's a separate document from your privacy notice.
Copying a template is where it goes wrong
A pasted template that names the wrong company, lists data you don't collect, or misses what you actually do is arguably worse than nothing — it's evidence you didn't engage with the duty. Your notice has to describe your data flows: what your forms collect, which tools you use, where the data goes.
Read next: what policies does a small business need?