Privacy Policy for Small Business: A Simple Template Guide

Every UK business website needs a privacy policy under UK GDPR. This guide explains exactly what yours must cover and how to get it right.

By Ian HarfordUpdated 19 May 202610 min read

Suited person holding a smartphone with glowing GDPR icons and General Data Protection Regulation text overlaid

This is not legal advice

This article is for general information only. It is not legal, financial, or tax advice. Consult a qualified professional before making decisions for your business.

If your website collects personal data - even just an email address from a contact form - you are legally required to have a privacy policy under UK GDPR (the UK's data protection law, which came into force after Brexit). For most small businesses, this is not a complex document. But a copied template that does not reflect what your business actually does with personal data is not compliant - and a non-compliant privacy policy can result in ICO enforcement action.

This guide explains what a UK privacy policy must include, where it must appear on your website, and how to use a template safely - without needing a solicitor for most straightforward cases.

What a Privacy Policy Is and Why Your Website Needs One

A privacy policy (also called a privacy notice) is a document that tells people how you collect, use, store, and share their personal data. Under UK GDPR, individuals have a right to know what happens to their data - and you have a legal obligation to tell them.

Personal data means any information that can identify a living person - names, email addresses, IP addresses, phone numbers, and purchase history all count. If your website has a contact form, a newsletter sign-up, an e-commerce checkout, or even just standard analytics tracking, you are collecting personal data and a privacy policy is not optional.

This applies to you even if you don't store data yourself

If you use third-party tools - Google Analytics, Mailchimp, Shopify, a contact form plugin - those tools process personal data on your behalf. You are still the data controller and you are still responsible for telling your website visitors what happens to their data.

The ICO (Information Commissioner's Office) is the UK's data protection regulator. It publishes clear guidance for small businesses and provides free resources to help you comply. The bar for a small business with simple data practices is genuinely achievable without specialist legal help.

What UK GDPR Requires Your Privacy Policy to Cover

UK GDPR Articles 13 and 14 set out the specific information a privacy notice must contain. Article 13 applies when you collect data directly from individuals (a contact form, a sign-up page). Article 14 applies when you obtain data from a third party or another source.

For most small business websites, Article 13 is the relevant one. The law requires you to provide this information at the point of data collection - meaning your privacy policy must be accessible before or at the moment someone submits their data, not buried in a footer link they can only find after the fact.

Data controller vs data processor

A data controller is the person or business that decides why and how personal data is processed - that's you. A data processor is a third party that handles data on your behalf, such as your email marketing platform. Your privacy policy must name both where relevant.

The Eight Sections Every UK Small Business Privacy Policy Must Include

The sections below reflect the disclosure requirements under UK GDPR. A compliant privacy policy for a UK business website needs to address these areas. Skipping any one of them potentially leaves you exposed:

Who you are - Your full business name, trading name, registered address, and contact details. If you have a Data Protection Officer (DPO), include their contact details too - though most small businesses are not required to appoint one.
What data you collect - List every category of personal data your website collects: names, email addresses, IP addresses, payment information, purchase history. Be specific. Vague language like "certain information" is not sufficient.
Why you collect it and the legal basis - UK GDPR requires you to have a lawful basis for processing. The most common ones for small businesses are: consent (the person opted in), contract (you need the data to fulfil an order), and legitimate interests (you have a genuine business reason that does not override the individual's rights).
Who you share data with - Name any third parties that receive or process the data: payment processors, email platforms, analytics tools, delivery companies. Include the country where data is stored if it is outside the UK.
How long you keep data - You cannot keep personal data indefinitely. State your retention periods for each data type, or explain the criteria you use to decide how long to keep it.
Individual rights - Under UK GDPR, individuals have the right to access, correct, delete, restrict processing of, and object to the use of their data. Your policy must explain these rights and tell people how to exercise them.
How to make a complaint - You must direct individuals to the ICO if they believe their data has been mishandled. Include the ICO's website address (ico.org.uk) and confirm they can lodge a complaint there.
How you keep data secure - You do not need to publish technical security specifications, but you must confirm that appropriate technical and organisational measures are in place to protect personal data.

Write it for your actual data practices

Before you finalise any section, ask yourself: does this match what my business actually does? A template that lists "marketing analytics" as a purpose is non-compliant if you do not run marketing analytics. Accuracy matters more than completeness - covering only what you do, correctly, beats a comprehensive template full of activities you do not perform.

Where to Display Your Privacy Policy: Website Placement Requirements

UK GDPR requires that your privacy notice is provided to individuals at the time their data is collected - or before. That means placement on your website is not just a usability decision, it is a legal one.

There are three placements your website should have as a minimum:

Footer link on every page - A clearly labelled link titled "Privacy Policy" (not "Legal" or "Terms") in your site footer ensures it is discoverable from anywhere on the site.
At the point of data collection - Every form that collects personal data - contact forms, sign-up forms, checkout pages - should include a reference to your privacy policy alongside the submit button. A short line such as 'By submitting this form, your information will be processed in accordance with our Privacy Policy [link]' informs users how their data will be used*.
Cookie consent banner - If you use cookies that require consent (analytics or marketing cookies), your consent banner should link directly to your privacy policy and your cookie policy.

The policy must be easy to read and written in plain language - this is an explicit requirement under UK GDPR, not just good practice. Legal jargon and dense paragraphs fail the test.

* Note: If consent is your lawful basis for processing, you will also need a separate, specific opt-in - simply submitting a form does not by itself constitute valid UK GDPR consent.

Using a Template: What to Check Before You Publish It

For most small businesses with straightforward data practices, a well-reviewed template is entirely appropriate. The ICO itself provides a privacy notice generator at ico.org.uk to help small businesses generate a compliant baseline. The risk with templates is not that they are inadequate - it is that founders publish them without checking whether they accurately describe what the business actually does.

Before publishing any template, work through this checklist.

Template review checklist - before you publish

Your business name, trading name, and contact details are accurate and complete.
Every category of personal data the template mentions is data your business actually collects - remove anything that does not apply.
Every purpose listed is a purpose you genuinely use the data for - do not keep purposes that do not match your actual practices.
Every third party listed actually processes data for your business - and any processor not listed has been added.
Your lawful basis for each processing activity is correctly identified - do not default to "consent" if you are processing under contract or legitimate interests.
Retention periods are specified and realistic for your business.
The ICO complaint link (ico.org.uk) is included and accurate.
If data is stored outside the UK, the relevant transfer safeguards are described.

When a template is not enough

If your business processes special category data - health information, biometric data, ethnicity, religion, and similar sensitive categories listed in Article 9 UK GDPR - or if you carry out large-scale or systematic monitoring of individuals, a standard template will not be sufficient. These cases require more detailed legal analysis and you should seek advice from a qualified data protection adviser.

Cookie Policies: Do You Need a Separate Cookie Policy or Can You Combine It?

A cookie policy and a privacy policy are not the same document - they serve different legal purposes. Conflating them is a common mistake that can leave both incomplete.

Your privacy policy covers how you handle personal data broadly - what you collect, why, how long you keep it, and individuals' rights. Your cookie policy covers the specific cookies your website uses - what each one does, whether it is strictly necessary or optional, and how users can manage or reject it. Cookie use is governed by PECR (the Privacy and Electronic Communications Regulations), which sits alongside UK GDPR. PECR was significantly amended by the Data (Use and Access) Act 2025, with key changes - including new cookie consent exceptions and substantially higher fines (up to £17.5 million or 4% of global turnover) - in force from 5 February 2026.

In practice, small businesses often include a cookies section within their privacy policy rather than creating a separate page - and this is acceptable, as long as both sets of content are genuinely covered. If your site uses a significant number of cookies across multiple categories (analytics, advertising, functionality), a dedicated cookie policy page is cleaner and easier to maintain.

Strictly necessary cookies do not require consent

Cookies that are essential for the website to function - session cookies, security cookies, shopping cart cookies - do not require the user's consent under PECR. You must still disclose them in your cookie policy, but you do not need a consent banner for these alone.

Consent is still required for marketing and advertising cookies. However, since 5 February 2026, some analytics or statistical-purpose cookies (used solely by the website operator to improve the service) and appearance-preference cookies may be exempt from consent if users are given a clear opt-out - check the ICO's updated guidance on storage and access technologies for the current rules.

How Often to Review and Update Your Privacy Policy

A privacy policy is not a one-time document. It needs to reflect what your business actually does with personal data - and as your business changes, so should your policy.

The most common triggers that require a policy update:

You add a new third-party tool that processes personal data (a new CRM, email platform, or analytics tool).
You start collecting a new category of personal data - for example, launching a new form or expanding your product range.
You change what you use existing data for - for instance, starting a newsletter when you previously only processed data for order fulfilment.
You begin storing or transferring data outside the UK for the first time.
UK data protection law has undergone significant changes under the Data (Use and Access) Act 2025, with key provisions already in force from 5 February 2026 and further changes due by June 2026. The ICO is actively updating its guidance - check ico.org.uk for the current publication schedule.

A sensible baseline for most growing businesses is a review every 12 months, even if nothing obvious has changed. Add it to your calendar as an annual compliance task. When you do update the policy, add a "last updated" date at the top of the document - this signals to users and to the ICO that your policy is actively maintained.

Notify users when you make material changes

If you make a significant change to how you use personal data - not just a formatting update - best practice is to notify affected individuals directly, typically by email to your list. This is not always a strict legal requirement for minor changes, but it demonstrates good faith and reduces the risk of complaints to the ICO.

Cut Through the Noise - Get the BGE Newsletter

Get Practical Guidance You Can Use This Week

Ready to cut through the noise? Join the BGE newsletter for practical guidance, tool recommendations, and real-world insights for UK founders and business owners - delivered weekly to your inbox. No fluff, no spam, unsubscribe any time.

BGE newsletter

Frequently asked questions

Do I need a privacy policy?

Many founders treat a privacy policy as a formality — something to add to a website to tick a compliance box. This misunderstands both the legal basis for the requirement and the practical value a well-written policy provides in building customer trust. Understanding when a privacy policy is required and what it must contain is basic compliance knowledge for any UK business collecting personal data.

A privacy policy is required under UK GDPR whenever a business collects or processes personal data from individuals. It must explain what data is collected, why, what the lawful basis for processing is, how long it will be retained, who it may be shared with, and what rights individuals have. It must be written in clear, accessible language and kept up to date as the business's data practices evolve.

A privacy policy is legally required, not optional, for any business collecting personal data — including through a website contact form, an email marketing signup, or an e-commerce checkout. The absence of one, or a policy that does not reflect actual data practices, creates regulatory and reputational risk. Our guide to writing a privacy policy for UK businesses covers what must be included and how to keep it current.

What is GDPR?

GDPR — the General Data Protection Regulation — changed how businesses in the UK and across Europe are required to handle personal data. Many founders have a general sense that GDPR involves data protection compliance, but fewer have a clear understanding of what it actually requires of businesses or the practical implications for how they operate day to day.

GDPR establishes the rights of individuals over their personal data and the obligations of businesses that collect, store, or process it. It requires businesses to have a lawful basis for processing personal data, to be transparent about how data is used, to store only what is genuinely needed, to keep it secure, and to respond when individuals exercise their rights. In the UK, GDPR has been retained post-Brexit as UK GDPR, with the same core principles applying.

GDPR applies to any business that processes personal data — including holding customer contact details, running an email list, or using website analytics. Scale of data processing affects the specific obligations that apply, but no business is exempt if it handles personal data in any form. Our guide to GDPR for UK businesses covers the core principles and what small businesses need to do to comply.

What is personal data?

Personal data sits at the heart of data protection law, but it is a broader category than many founders initially assume. A common misconception is that personal data is limited to obviously sensitive information such as financial records or medical history. In practice, it covers a much wider range of information, and understanding the definition correctly is the starting point for assessing what obligations apply.

Personal data is any information that relates to an identified or identifiable living individual. This includes names, email addresses, phone numbers, and home addresses, but also IP addresses, location data, device identifiers, and any information that could identify someone alone or in combination with other data. Special categories of personal data — such as health information, racial or ethnic origin, and political opinions — carry additional protections under UK GDPR and require a higher standard of justification to process.

Most businesses process personal data even if they do not think of it in those terms — a customer contact list, an email marketing database, or website analytics all involve personal data. Understanding what data you hold and why is the first step in compliance. Our guide to personal data and UK GDPR helps founders identify what they are processing and what that means for their obligations.

What is a lawful basis for processing data?

One of the foundational requirements of UK GDPR is that businesses must have a lawful reason — a lawful basis — for processing personal data. Simply wanting to use someone's data, or assuming that having received it means you can use it as you wish, is not sufficient. Understanding what the lawful bases are and which applies to a particular type of processing is a prerequisite for compliant data handling.

UK GDPR sets out six lawful bases: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most small businesses, the most relevant are consent — where the individual has actively agreed to a specific use of their data — contract, where processing is necessary to fulfil an agreement, and legitimate interests, where the business has a genuine reason not overridden by the individual's rights. The basis used must be documented and communicated in the privacy policy.

Relying on the wrong lawful basis or failing to document it is one of the most common data protection gaps in small businesses. Consent in particular is often misapplied: it must be freely given, specific, informed, and unambiguous, and cannot be bundled into terms and conditions. Our guide to lawful bases under UK GDPR explains each basis and helps founders identify which applies to their data processing activities.

What are data subject rights?

One of the core principles of UK GDPR is that individuals — referred to as data subjects — have meaningful rights over their personal data. These are legal obligations requiring businesses to have processes in place to respond to requests within defined timeframes. Understanding what these rights are and how to honour them is a practical compliance requirement for any business processing personal data.

UK GDPR grants individuals several rights: access to data held about them, correction of inaccurate data, deletion in certain circumstances, restriction or objection to certain types of processing, and the right to receive data in a portable format. Businesses must respond to valid requests within a defined period without charging a fee in most cases. Refusing a valid request without lawful grounds is a breach of UK GDPR.

The most commonly exercised right is the right of access — often called a subject access request or SAR. Having a process for receiving, verifying, and responding to SARs before they arise avoids delays and compliance risk. Our guide to data subject rights under UK GDPR explains each right in plain terms and what businesses need to do to respond correctly.

Share: LinkedIn X Facebook WhatsApp Email

Get the Business Growth Engine newsletter

Practical analysis, delivered weekly.

Ian Harford

FCIM Cmktr

Connect with Ian on:

Ian Harford FCIM CMktr is co-founder of GTi Business Systems Ltd and a Chartered Fellow of the Chartered Institute of Marketing. He writes practical UK business guidance for founders and SME owners.