Privacy Policy 101: What you need to know (and how to stay compliant)

June 16, 2025

In the digital age, data privacy is a critical concern for businesses and individuals alike. A key element of any organisation’s data protection strategy is its privacy policy. Whether you’re running a website, an app, or any organisation that collects personal data, UK law requires transparency about how you collect, use, and protect that information. It is therefore important that organisations have in place privacy policies which comply with the relevant regulations.

What is a privacy policy?

A privacy policy outlines how an organisation collects, uses, stores, shares, and protects personal data. It informs users about their rights under data protection law and helps build trust by demonstrating a commitment to privacy and transparency.

In the UK, privacy policies must comply with the UK General Data Protection Regulation (UK GDPR). There is a legal requirement under the UK GDPR for the protection of individuals’ data and organisations must comply with this regulation and consider the ethical and appropriate use of data and technology.

Why is a privacy policy important?

Having a clear and compliant privacy policy is essential for:

Legal compliance: Avoiding adverse publicity and penalties and fines from the Information Commissioner’s Office (ICO).
- In order to avoid these, it is important to meet the relevant requirements of the UK GDPR. For example, Transparency is a key data protection principle which facilitates the exercise of an individual’s rights and gives people greater control, and as such your organisation must clearly explain user rights and your data handling practices.
Customer trust: Demonstrating responsible data practices.
- Being open and honest about how you collect, use, and share personal data builds customer trust. Transparent data practices also supports business arrangements, including with third party service providers.

What should a compliant privacy policy include?

To meet the legal requirements, your privacy policy should cover the following key areas:

Who you are – details of your organisation and your Data Protection Officer, if you have one.
What data you collect – e.g. names, phone numbers or special category data etc.
How you collect the data – e.g. forms on your website, cookies etc,
Why you collect the data (i.e. your legal basis for doing so) – performance of a contract or legitimate interests.
How you use the data – e.g. providing services, marketing, analytics etc.
Who you share the data with – e.g. marketing platforms, hosting providers etc.
Where you share data – relevant where data is shared outside of the UK and what safeguards you have in place in this regard.
How long you keep data – i.e. your data retention periods

Drafting considerations

When creating your privacy policy, it is important to clearly inform users of their rights under the UK GDPR including, but not limited to, the right to access their data, the right to object to processing, and the right to lodge a complaint with the ICO.

In addition, these should be drafted in plain language without complex legal terminology. This ensures that your privacy policy is easy to understand. It should also be easy to find and placed in a prominent location on your website, typically in the footer.

Finally, make sure your privacy policy reflects your actual data practices and business activities. It is important that the privacy policy is tailored to your business and reviewed regularly to stay up to date with changes in data protection laws and changes to business activities.

Please contact us for expert advice in this area or if you would like assistance in drafting or updating your privacy policy.

Mark Chapman

Partner, Commercial

<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>

View profile Contact Us

Rhian Hazeldene

View profile Contact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights

In the digital age, data privacy is a critical concern for businesses and individuals alike. A key element of any…
In the UK, couples who want to make a legal commitment to one another can choose between marriage and civil…
Herrington Carmichael’s Banking & Finance team, led by Managing Partner, Yavan Brar, has advised a consolidator of financial advisory businesses,…
There are three main ways in which a business can occupy a property: Tenancy protected by the Landlord and Tenant…
When a commercial lease or licence reaches the end of its fixed term, what happens next depends on the type…
If you are a Landlord or Tenant of commercial premises, it's important to understand the different ways a business can…

Best Law Firms 2024

Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.

www.thetimes.co.uk/article/herrington-carmichael

<h1 class='my-heading'>Just some HTML</h1><?php echo 'The year is ' . date('Y'); ?>

BUSINESS

PERSONAL

PEOPLE