Iubenda logo
Start generating


Table of Contents

Privacy Policy Template for Small Business UK

Do I still need a privacy policy if I’m a small UK business? The continued updates in EU privacy laws and Brexit may have confused you about what you actually need. Seeking a free privacy policy template UK? We’ll cover some of those frequently asked questions and talk templates in this short post. 

Privacy Policy Template UK

Privacy Policy Template for Small Business UK: Post-Brexit GDPR Considerations

The GDPR, which used to be binding law in the UK until Brexit took effect on Dec. 31st, 2020 (Read more about the GDPR and when it applies here.) for the most part, still applicable in the UK as “UK GDPR”.

We have an article dedicated to GDPR & Brexit – What it means for businesses and the impact on data protection, which you can access here for further reading. 

Is a privacy policy mandatory in the UK?

No matter what size, if your business is based in the UK, you need a privacy policy if you gather personal information from users. This also includes mobile apps, a blog, an ecommerce, and a newsletter. It’s required by law and can be required by third-party services.

Meet iubenda’s Privacy and Cookie Policy Generator

Our Privacy and Cookie Policy Generator is the simplest solution to generate your privacy policy in just a few clicks!

Simplifying the process is straightforward: Utilize our Site Scanner to review your website. Incorporate the necessary clauses and create your document. Simply copy and paste to integrate your privacy policy into your website. Furthermore, our Generator isn’t just a static template—it’s backed by a global legal team dedicated to keeping the documents current with legal changes. This allows you to concentrate on your business without the hassle of updates. Interested in experiencing it for yourself?

Scan your website now

Start for free

The following are the most fundamental components of a privacy policy:

  • Who owns the website/app?
  • What information is being gathered? How is that information gathered?
  • What is the legal justification for the collection?
  • What precise reasons are the data collected for?
  • The types of sources from which you obtain personal information on consumers
  • What other parties will have access to the data?
  • Details about cross-border/international data transfers, including any safeguards to ensure their safety and compliance, when relevant.
  • What are the rights of users?
  • Process for informing users and visitors of changes or modifications to the privacy policy
  • The date on which the privacy policy goes into effect

Crafting a Compliant Privacy Policy: Is a Template Enough?

Given the intricacies of privacy regulations, crafting a comprehensive privacy policy template for small business UK entails addressing various factors, including your website’s activities and the geographic location of both your business and its users.

The truth is that the subject of privacy rules is quite complex. As a result, a template for a privacy policy must consider various factors.

That’s difficult to handle when you consider the dozens and dozens of relevant things you may be doing on your site. So… 

How iubenda can help you create a privacy policy

Privacy information must be up to date, comprehensible, unambiguous, and easily available throughout the website to meet GDPR disclosure and transparency standards.

The GDPR can apply to you whether you live in the EU or have EU users, and the repercussions of non-compliance can be severe. To be compliant, your policy must include at the very least:

Disclose the personal data gathered and the purposes for which they were obtained; provide an accurate list of all third parties with whom the data is shared, and notify users of their data rights.

See this GDPR-compliant privacy policy created with our generator for an example of how these elements come together. Click on the button to open the document: 

Just click on the button to open it! 

Privacy Policy

Privacy Policy Template UK

Privacy Policy of [Your Business]

Effective Date: [Date]

Owner and Data Controller

[Your Business]
[Your Business Address]
[Your Owner Email Address]

Types of Data Collected

[List all the types of data your website collects, by itself or through third-parties. For example: Cookies and tracking technologies;

  • Names;
  • Phone numbers;
  • IP addresses;
  • Email addresses;
  • Browser type and device information;
  • Unique identifiers…]
  • Methods of Processing

    [Describe all the security mesaures in place to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the data. Mention who can have access to the data, and how processing is carried out e.g. through computers.]

    Legal Basis of Processing

    [List the legal bases or reasons you have to process data. For example: users have given their consent to one or more specific purposes (which is the most common legal basis for businesses).]

    Place of Processing

    [Define where data is being processed.]
    [Also mention here any data transfers to other countries.]

    Retention Time

    [This sets a defined period of time for keeping the data. Typically, personal data is processed and stored for as long as required by the purpose it has been collected for.]
    [Also mention, if it’s the case, that data will be deleted once the retention period expires. Read this post for best practices on data retention.]

    Purposes of Processing by Services (including Third-Parties)

    [This is more of a detailed section that lists all the services used on your website (like Google Analytics or Stripe for example) and, for each of them, defines the following information:

  • What the service is: Google Analytics is a web analysis service provided by Google Inc. Google uses the data collected to track and examine the use of this website, to prepare reports on its activities and share them with other Google services.
  • Purpose: Analytics
  • Personal data processed by the service : Cookies, Usage Data
  • Place of processing: United States; Ireland
  • If this constitutes a sale according to US State Laws like CPRA and VCDPA: Yes]
  • 👉 This section can be tricky. This is made easy with iubenda’s site scanner.
    Simply input the URL of your website and the scanner will automatically identify all the services in use and create a document with all necessary clauses. Each clause includes all the detailed information mentioned above and has been pre-drafted by lawyers.

    Users Rights

    [Users have a number of rights over their data, such as the right to withdraw their consent, access their data, or have their data deleted. You need to list their rights in this section. You’re likely to have to include data subjects’ rights under the GDPR. Also mention how they can exercise these rights (e.g. by contacting the company by email.]

    Cookie Policy

    This is crucial in case you use trackers on your website. 👉 Not sure? Follow this guide to find out!
    [Here you can link to your cookie policy. It should list all the trackers used on your site, what data they collect and for which purposes. Make sure to mention how users can manage their cookie preferences.]👉 See a cookie policy example here and how to generate your own.

    Additional Clauses

    [Some additional clauses can include:

  • Legally-required disclosures under the US’ CPRA, VCDPA, or Brazil’s LGPD
  • Statements regarding children’s privacy, e.g. if your website is intended for users under the age of 13, and how you handle their personal information.
  • Changes to this privacy policy; you should explain how you will notify users of any changes and the effective date of the updated policy.]
  • Latest update: [Date]

    ⚠️ Note
    This is a general and basic privacy policy template and must be customized to fit your specific circumstances and requirements. As mentioned, because these are legally binding documents, we highly recommend consulting with legal professionals or using a generator created by legal professionals to ensure compliance with applicable laws and regulations.

    iubenda offers a GDPR privacy policy template UK that embodies these principles, making it easier for businesses to align with legal requirements across different jurisdictions. Our privacy policies are comprehensive, incorporating the necessary clauses for a wide range of regions and services, and adhere to the strictest privacy standards. Customize your policy to suit your specific needs with our easy-to-use generator.

    Whether you’re looking for a free website privacy policy template UK, a cookie policy template UK, or a GDPR-aligned solution, iubenda provides the tools you need to ensure legal compliance effortlessly. Our platform simplifies the creation of privacy policies that cater to the specific needs of small businesses in the UK and beyond.

    Create Your Privacy Policy with iubenda or explore our solutions to find out how we can help you navigate the complexities of privacy laws with ease.

    Need a Privacy Policy template UK? Create yours today!

    Or learn more about iubenda’s solutions

    Start generating


    1. Can I write my own privacy policy in the UK?

    Yes, you can write your own privacy policy in the UK. However, it is crucial to ensure that your privacy notice complies with the UK’s data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Your privacy policy should be clear, transparent, and easily accessible, detailing how you collect, use, store, and protect personal data. It should also inform users about their rights regarding their personal data and how they can exercise those rights. Considering the complexity of data protection laws, seeking legal advice or using tailored templates may be beneficial to ensure compliance.

    2. How do I write a cookie policy in the UK?

    VTo write a cookie policy in the UK, you should follow the guidelines provided by the Information Commissioner’s Office (ICO). Your cookie policy should:

    • Clearly explain what cookies are and how you use them.
    • List the types of cookies used by your website (e.g., necessary, performance, functionality, and targeting cookies) along with their purposes.
    • Provide information on how users can accept, reject, or manage cookie preferences at any time.
    • Be easily accessible from anywhere on your website, typically through a link in the footer.
    • The policy should be written in clear and straightforward language to ensure that all users can understand how their data is being used and how they can control their cookie preferences.

    3. Does the UK require cookie consent?

    Yes, the UK requires cookie consent. According to the Privacy and Electronic Communications Regulations (PECR), which complement the UK GDPR, website owners must obtain explicit consent from users before storing or accessing information on their devices, such as through cookies, except for cookies that are strictly necessary for the provision of the service requested by the user. This consent must be informed, specific, and freely given, which means pre-ticked boxes or implied consent strategies are not compliant. Website owners must provide clear and comprehensive information about the use of cookies and must offer an easy way for users to accept or reject non-essential cookies.