How to Write a Privacy Policy for Your UK Website
A privacy policy is a legal document that explains to users of your website what personal data you collect, why you collect it, how you use it, how long you keep it, and what rights they have over it. Under UK GDPR and the Data Protection Act 2018, having a privacy policy isn’t optional — it’s a legal requirement for any website that collects personal data.
Writing a privacy policy doesn’t have to be painful. Here’s what to include and how to make it readable without compromising on legal completeness.
What Your Privacy Policy Must Cover
The ICO specifies the information that must appear in a privacy notice under UK GDPR. At minimum your privacy policy must include: who you are and your contact details (including a Data Protection Officer contact if applicable); what personal data you collect and where it comes from; the lawful basis for each type of processing; the purposes for which you use the data; how long you retain data; who you share data with (including third-party processors such as email marketing platforms, analytics tools, and payment providers); whether data is transferred outside the UK and on what basis; and individuals’ rights under UK GDPR (access, rectification, erasure, restriction, portability, and the right to object).
You must also explain how individuals can complain to the ICO if they’re unhappy with how you’ve handled their data, and — if you rely on consent as your lawful basis for any processing — how they can withdraw that consent.
Writing for Clarity, Not Just Compliance
UK GDPR explicitly requires privacy information to be written in clear, plain language. Legal boilerplate that users can’t understand doesn’t fulfil the transparency principle, even if it covers all the required topics technically. Write as if you’re explaining your data practices to a non-technical user — because you are.
Use plain section headings so readers can find what they’re looking for: “What information we collect,” “Why we use your data,” “How long we keep your data,” “Your rights.” Bullet points work well for lists of data types or rights. Avoid sentences that start with “Whereas the data subject has requested...” — plain English equivalents are not only more readable but also more legally sound.
Consider the layered notice approach recommended by the ICO: a short, clear summary of your key practices at the top of the policy, followed by more detailed information below for users who want to read further. This accommodates both the visitor who wants a quick overview and the one who wants to verify specific details.
Keeping Your Privacy Policy Up to Date
A privacy policy isn’t a one-and-done task. It needs to reflect your actual current data practices — which means updating it when you introduce a new contact form, switch email marketing providers, add a live chat tool, or change how long you retain data. An outdated privacy policy that doesn’t reflect what your website actually does creates legal exposure.
Date-stamp your privacy policy and keep track of major changes. If you make a material change — particularly one that affects how you use data you’ve already collected — notify existing contacts about the update.
Free and paid tools exist to generate privacy policy drafts for UK websites: the ICO’s own guidance, Termly, and iubenda all offer options. Use these as starting points, but always review and customise the output to reflect your actual practices rather than publishing a generic template unchanged.
Common questions.
Can I use a free privacy policy template for my UK website?
Where should I put my privacy policy on my website?
How often should I update my privacy policy?
More on web design & ux.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.