What do you need in your Privacy Policy?


Under the General Data Protection Regulations (GDPR) if you request, keep and process personal data you will need a privacy policy.

Although you might not think you do process personal data initially, every business does somehow.

  • If you have employees, you store and process personal data.
  • If you have an enquiry form on your website, you hold and process personal data.
  • If you keep customer records, you hold and use personal data.
  • If you use Google Analytics, you are handling personal data.

It’s pretty safe to say your business will need a privacy policy

The thought of a privacy policy can seem quite daunting. However, the GDPR is progressive legislation. It is not about blinding consumers with science. It’s the complete opposite.

GDPR is about transparency and honesty. It’s about moving away from this ‘cloak and dagger’ world of holding onto personal information.

The Information Commissioner’s Office (IOC) states, in its framework, that privacy policies should be written in easy to understand, human language. It shouldn’t read like a lawyer has written it. It should read like a responsible, open person has written it. (Remember GDPR is about changing business culture around data. Where better to set this change in motion than the privacy policy?)

So when you come to writing your privacy policy you should be answering the following questions truthfully and in layman terms so that it is easily accessible to the reader:

  • What is personal data?
  • What personal data do you collect?
  • How do you obtain this data?
    • Information given by the individual, e.g. enquiry forms, email subscription
    • Information collected from the individual, e.g. cookies, analytics
    • Information from third parties
  • Why do you collect this data?
  • Why can you hold this data?
  • How long you keep this data?
  • Who uses the data?
  • How do we protect your data? E.g. internal systems, secure servers, SSL certificates, a 2-tier password system
  • Who do we share your information with?
  • What rights do you have?
    • Right to be forgotten, e.g. opt-out methods
    • Right to request copies of information
    • How they can request information


Take a look at other privacy policies especially in similar sectors to your own. Market leaders will have put a lot of time into theirs so have a gander at theirs too.


Use the personal data audit you conducted to make sure you include everything you need to.


Add a ‘last updated’ somewhere. Your privacy policy will be a live document, and you will need to amend as and when necessary, providing more evidence of your commitment to GDPR.


Only include the information you need to. If for example, you don’t use Google Analytics don’t mention it. The IOC recommend making it as short as possible.

Related Posts

Get a quick quote
close slider

Get a quick quote

  • We take your privacy seriously and will never pass your details on to third parties. When you contact us we will store your personal details to contact you and to email you updates and offers from time to time in the future.

  • This field is for validation purposes and should be left unchanged.