UK Privacy Policy: What Your Website Actually Needs Under UK GDPR (2026)

Updated April 2026. Reflects the UK GDPR + Data Protection Act 2018 as in force, plus the latest ICO guidance on cookies and consent.

Every UK website that collects personal data needs a privacy policy. That’s not a “best practice” — it’s the law. Articles 13 and 14 of the UK GDPR require you to give individuals specific information about how you process their data, in a clear and accessible form, at the point you collect it. Skip it and you’re exposed to ICO enforcement action and the reputational mess that comes with it.

This guide explains what a UK privacy policy actually needs to contain in 2026, the lawful basis question that trips most small businesses up, and how the post-Brexit international transfer rules play out.

Why this isn’t just paperwork

The Information Commissioner’s Office (ICO) is the UK regulator. They publish guidance, audit organisations, take enforcement action and fine non-compliant data controllers up to £17.5 million or 4% of global turnover (whichever is higher). Most small businesses won’t see anything close to those numbers — but the lower end of enforcement (warnings, undertakings, public reprimands) is a regular occurrence and worth avoiding.

More immediately, a missing or sloppy privacy policy:

• Blocks you from using Google Analytics, Meta Pixel, Stripe and similar (their terms require you to publish a compliant policy)
• Triggers complaints from users — and the ICO must investigate complaints
• Makes B2B sales harder (procurement teams check)
• Can void contracts that warrant compliance

The lawful basis question

Under Article 6 of the UK GDPR, every act of processing personal data must rely on at least one of six lawful bases. Pick the wrong one and your processing is unlawful, regardless of what the policy says. The six are:

1. Consent — clear, freely given, specific, informed. Used for marketing communications, optional cookies, and similar.
2. Contract — necessary to perform a contract with the data subject, or to take steps at their request before entering one. Used for account data, order processing.
3. Legal obligation — required by UK law. Used for tax records, employment records, AML checks.
4. Vital interests — to protect someone’s life. Rare in commercial contexts.
5. Public task — for public authorities. Rare for SMEs.
6. Legitimate interests — necessary for your interests, balanced against the data subject’s. Used carefully for fraud prevention, basic enquiry-form responses, internal analytics.

The most common SME mistake: using “consent” as a default for everything. Consent has the highest standard — it must be freely given, specific, informed and unambiguous, and withdrawable at any time. If users can’t reasonably refuse (e.g. you can’t deliver the service without their address), contract is the right basis, not consent.

The second most common mistake: using “legitimate interests” as a fudge. It requires a balancing test (your interests vs. the individual’s rights and reasonable expectations) and you must document the test. Not “we might want to do X someday” — a specific assessment per processing activity.

What every UK privacy policy must include

Article 13 sets out the mandatory contents when you collect data directly from the data subject. Article 14 adds requirements when you obtain data from another source. The combined list:

• The identity and contact details of the data controller (you)
• Contact details of the Data Protection Officer (DPO) where appointed
• The purposes of processing and the lawful basis for each
• Where the lawful basis is legitimate interests, what those interests are
• Recipients or categories of recipients of the data (analytics providers, payment processors, hosting providers, etc.)
• International transfers and the safeguards applied
• The retention period, or criteria used to determine it
• The data subject’s rights (access, rectification, erasure, restriction, portability, objection)
• The right to withdraw consent (where consent is the basis)
• The right to complain to the ICO
• Whether providing the data is a contractual or statutory requirement, and the consequences of not providing it
• The existence of automated decision-making (including profiling) and meaningful information about the logic involved

Retention periods — the bit most policies fudge

“We will keep your data for as long as necessary” doesn’t satisfy Article 13. The ICO expects specific periods or specific criteria. Reasonable defaults for typical SME data:

• Enquiry data (someone filled in your contact form): 24 months from last contact
• Customer account data: duration of the account plus 6 years (Companies Act 2006 record-keeping)
• Marketing list (consent): until consent is withdrawn, with an annual re-engagement check
• Job applicant data: 6 months for unsuccessful applicants (you may keep longer with explicit consent for future opportunities)
• Employee records: 6 years after employment ends (HMRC and tribunal limitation requirements)
• CCTV: typically 30 days unless an incident requires retention

Document these in the policy. Document them again in your internal Records of Processing Activities (ROPA) under Article 30.

International transfers — what changed post-Brexit

Since the UK left the EU, transfers of personal data outside the UK fall under Schedule 21 to the Data Protection Act 2018 and the Article 46 transfer mechanisms preserved in the UK GDPR. Practical implications:

• Transfers to the EEA — covered by UK adequacy regulations. No extra safeguards required.
• Transfers to the US — the UK Extension to the EU-US Data Privacy Framework allows transfers to certified US recipients without further safeguards. Check the recipient is on the public DPF list.
• Transfers elsewhere — you need either an adequacy decision (limited list — Israel, Canada, Japan, others) or a transfer mechanism such as the International Data Transfer Agreement (IDTA), a UK Addendum to EU SCCs, or Binding Corporate Rules. Plus a Transfer Risk Assessment (TRA).

For most small UK businesses using mainstream cloud providers (AWS, Google Cloud, Stripe, etc.), you can usually rely on the providers’ published data processing agreements which incorporate the relevant transfer mechanisms. Reference them in your policy.

Cookies — the policy is not the consent

Privacy policy and cookie policy are separate documents under different legal regimes. The privacy policy covers UK GDPR (personal data). The cookie policy covers PECR (the Privacy and Electronic Communications Regulations 2003), which requires consent for any non-essential cookies before they are set.

The ICO has been increasingly aggressive on cookie consent: pre-ticked boxes, consent fatigue patterns (“Accept all” with a hidden “Reject all”), and bundled consent are all enforcement targets. If you set analytics, marketing or functional cookies, you need both:

1. A cookie banner that allows opt-in (not opt-out) consent for non-essential cookies, with an equally prominent reject option
2. A separate cookie policy that lists the cookies you set, what they do, who else gets the data, and how to withdraw consent

Our UK Cookie Policy template handles the second piece. The banner you’ll need from a consent management tool (Cookiebot, CookieYes, or a custom implementation).

Common UK SME mistakes

1. Copying a US privacy policy. US policies often reference CCPA, opt-out preferences, or “we may share your data with affiliates and partners” language that isn’t UK GDPR-compliant. Use a UK-drafted template.

2. No specific lawful bases. “We process data lawfully” doesn’t satisfy Article 13. State the lawful basis for each purpose.

3. Listing third parties as “trusted partners.” The ICO expects specific named recipients or categories. “Our analytics provider (Google Analytics 4)” is acceptable. “Trusted business partners” is not.

4. Forgetting the ICO complaint right. Every UK privacy policy must reference the right to complain to ico.org.uk. Strict requirement, easy to miss.

5. Not updating it. When you add a new tool that processes personal data — a new email service, analytics platform, payment provider — the policy needs an update. Many policies haven’t been touched since the original GDPR rollout in 2018.

Skip the drafting: UK Privacy Policy template

We maintain a UK GDPR + DPA 2018 compliant privacy policy template. Tailored to your business through a guided wizard — your name, your data, your lawful bases, your retention periods, your third parties — and delivered as an editable Word document plus PDF, ready to paste onto your site. £9.

Generate a UK Privacy Policy — £9 →

If you also need the cookie policy and website T&Cs (most websites do), grab them too — free UK NDA, £9 each for Cookie Policy and Website Terms & Conditions, or unlimited generation at £29/month.

Frequently asked questions

Do I need a Privacy Policy if I only collect emails?

Yes. Emails are personal data. Any UK website with a contact form, newsletter signup, account registration or even basic Google Analytics is processing personal data and needs a privacy notice that meets Article 13.

Do I need to register with the ICO?

Most UK businesses processing personal data must pay the data protection fee to the ICO under the Data Protection (Charges and Information) Regulations 2018. The fee is £40-£2,900 per year depending on size. Some narrow exemptions exist (e.g. processing only for staff records or accounts). Check at ico.org.uk.

Do I need a Data Protection Officer?

Only if you process special category data (health, biometrics, etc.) at scale, conduct large-scale systematic monitoring, or are a public authority. Most UK SMEs do not. But you should still document why you concluded a DPO is not required.

How often should I update the privacy policy?

Whenever a material change happens — new data processing activity, new third party recipient, change of lawful basis, change of retention period. Even without changes, an annual review is sensible. Date the policy clearly so users can see when it was last updated.

Where should the privacy policy live?

Linked from the footer of every page (universal access) and at the point of collection — next to any form where personal data is submitted. The footer link is non-negotiable; the point-of-collection notice is best practice and increasingly expected by the ICO.

Disclosure: AI Business Kit Docs is our own product. This article is general information, not legal advice — for complex processing (special category data, large-scale profiling, healthcare data) get specialist data protection advice.