Many founders treat a privacy policy as a formality — something to add to a website to tick a compliance box. This misunderstands both the legal basis for the requirement and the practical value a well-written policy provides in building customer trust. Understanding when a privacy policy is required and what it must contain is basic compliance knowledge for any UK business collecting personal data.
A privacy policy is required under UK GDPR whenever a business collects or processes personal data from individuals. It must explain what data is collected, why, what the lawful basis for processing is, how long it will be retained, who it may be shared with, and what rights individuals have. It must be written in clear, accessible language and kept up to date as the business's data practices evolve.
A privacy policy is legally required, not optional, for any business collecting personal data — including through a website contact form, an email marketing signup, or an e-commerce checkout. The absence of one, or a policy that does not reflect actual data practices, creates regulatory and reputational risk. Our guide to writing a privacy policy for UK businesses covers what must be included and how to keep it current.