Guide

How to Write a Privacy Policy for Your UK Website

A privacy policy is a legal document that explains to users of your website what personal data you collect, why you collect it, how you use it, how long you keep it, and what rights they have over it. Under UK GDPR and the Data Protection Act 2018, having a privacy policy isn’t optional — it’s a legal requirement for any website that collects personal data.

Writing a privacy policy doesn’t have to be painful. Here’s what to include and how to make it readable without compromising on legal completeness.

What Your Privacy Policy Must Cover

The ICO specifies the information that must appear in a privacy notice under UK GDPR. At minimum your privacy policy must include: who you are and your contact details (including a Data Protection Officer contact if applicable); what personal data you collect and where it comes from; the lawful basis for each type of processing; the purposes for which you use the data; how long you retain data; who you share data with (including third-party processors such as email marketing platforms, analytics tools, and payment providers); whether data is transferred outside the UK and on what basis; and individuals’ rights under UK GDPR (access, rectification, erasure, restriction, portability, and the right to object).

You must also explain how individuals can complain to the ICO if they’re unhappy with how you’ve handled their data, and — if you rely on consent as your lawful basis for any processing — how they can withdraw that consent.

Writing for Clarity, Not Just Compliance

UK GDPR explicitly requires privacy information to be written in clear, plain language. Legal boilerplate that users can’t understand doesn’t fulfil the transparency principle, even if it covers all the required topics technically. Write as if you’re explaining your data practices to a non-technical user — because you are.

Use plain section headings so readers can find what they’re looking for: “What information we collect,” “Why we use your data,” “How long we keep your data,” “Your rights.” Bullet points work well for lists of data types or rights. Avoid sentences that start with “Whereas the data subject has requested...” — plain English equivalents are not only more readable but also more legally sound.

Consider the layered notice approach recommended by the ICO: a short, clear summary of your key practices at the top of the policy, followed by more detailed information below for users who want to read further. This accommodates both the visitor who wants a quick overview and the one who wants to verify specific details.

Keeping Your Privacy Policy Up to Date

A privacy policy isn’t a one-and-done task. It needs to reflect your actual current data practices — which means updating it when you introduce a new contact form, switch email marketing providers, add a live chat tool, or change how long you retain data. An outdated privacy policy that doesn’t reflect what your website actually does creates legal exposure.

Date-stamp your privacy policy and keep track of major changes. If you make a material change — particularly one that affects how you use data you’ve already collected — notify existing contacts about the update.

Free and paid tools exist to generate privacy policy drafts for UK websites: the ICO’s own guidance, Termly, and iubenda all offer options. Use these as starting points, but always review and customise the output to reflect your actual practices rather than publishing a generic template unchanged.

FAQs

Common questions.

Can I use a free privacy policy template for my UK website?
You can use a template as a starting point, but you should always customise it to reflect your actual data practices. A generic template that doesn’t accurately describe what your website does fails the transparency requirement under UK GDPR, even if it covers all the required headings. Review any template carefully before publishing.
Where should I put my privacy policy on my website?
Your privacy policy should be linked from your website’s footer, so it’s accessible from every page. It should also be linked from any form where you collect personal data — your contact form, newsletter sign-up, booking form, and so on. The link text should be clearly labelled: “Privacy Policy” or “Privacy Notice,” not buried in a catch-all “Legal” menu.
How often should I update my privacy policy?
Review your privacy policy at least once a year, and update it immediately whenever you make a change that affects how you collect, use, or share personal data — for example, adding a new analytics tool, switching email providers, or introducing a live chat widget. Keep a record of changes and when they were made.
Related guides

More on web design & ux.

Want a hand putting this into practice?

Book a free, no-obligation consultation with a Norwich-based specialist.

Book a free consultation
Get started

Let's put your business in a better light.

Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.

  1. 01
    Tell us a bitFill in the form — two minutes, tops.
  2. 02
    We'll call you backWithin one working day, no pressure.
  3. 03
    Get a clear planHonest advice and a fixed quote.

Free · No obligation · We reply within one working day

Book a free consultation