Wondering if you can grab a Privacy Policy template and publish it on your website? You could do, but this is unlikely to reflect how your business uses data, so will be misleading to those who read it. Many organisations are unaware that it is a legal requirement to publish a privacy policy on a website.

In this article, we reveal why and the content your Privacy Policy must now include to satisfy the GDPR.

A privacy policy is one of the most important documents on any website and reflects the emphasis on transparency – individuals have a right to be informed about the collection and use of their data. The privacy policy is also a legal requirement, disclosing most, or all of the ways in which an organisation collects, uses and stores the personal data of its customers, prospects and especially visitors to its website.

Faced with the challenge of achieving a demonstrable level of compliance, many business owners want to know if they can get by with a Privacy Policy template for their website as a simpler and easier means to meet their legal obligations. So, is a template ever enough?

The answer is yes – however only as a template and it relies upon the layout of the template also reflecting your individual processing activities. If the template you use is missing key sections, then it won’t allow you to detail important elements of your use of personal data.

What should a website’s Privacy Policy include?

Before the GDPR, privacy policies had to include the following information:

  • What information you collect
  • How you collect it
  • What you use it for
  • How you keep it secure
  • Whether you share it
  • Any controls users have over any of the above

The ICO has published a privacy notice checklist to help you comply with the GDPR if you are reviewing the content of your own policy. You should ensure plain and clear language is used – and importantly – it is written for the audience it is intended.

Privacy policies must still include the detail above, however, there is a much greater emphasis on transparency with required information now including:

  • The name and contact details of the organisation (information on the data controller)
  • The name and contact details of the data protection representative (DPO) if you have one.
  • What data you collect in which designated areas – is, as part of your online activities.
  • How personal data is collected
  • The purpose of the processing (what you use it for)
  • The lawful basis of the processing (of which there are six lawful bases)
  • How you keep personal data secure
  • Who you share the personal data with (details of third parties)
  • How long you retain the data (retention periods)
  • The rights of the data subjects – these are far more detailed under the GDPR than the DPA 1998.

As the above detail suggests, using a templated privacy policy, or one lifted from another organisation could mean important information on your processing activity is left out, so compromising the transparency principle of the GDPR.

We have detailed some of the important elements of the GDPR below.

Data controller information

The data controller is the person (either alone, or jointly with others) who determines the purposes for which and the manner in which any personal data are, or will be processed. You are solely responsible for the protection of this data.

If you are classified as a data controller under the GDPR, you must identify yourself by supplying the registered name of the organisation / company and the full address of your registered office. You must also supply your ICO Registration Number – this is also a legal requirement. This information should be at the top of your privacy policy.

Individual rights

Your Privacy Policy must inform the user about their individual rights, which are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights related to automated decision making and profiling

This can be achieved using the format above, using a longer more descriptive clause, or in a heading titled ‘Your rights’ with a paragraph specific to your business use.

It is good practice to explain to your users the procedure for exercising their rights and how you will deal with their requests.

Data processing operations

If the business in question is a processor of data and personal information, the most important part of that business’s Privacy Policy is the list of operations it carries out. These must be described in detail in a comprehensible way.

For each processing operation, the purpose must be disclosed. This means, simply, that the purpose of you processing their information must be made known to the user. You must also inform the user of the legal basis you have to process the data. This is all about keeping your user informed about how their data is going to be used.

Data retention periods

Under the GDPR, you have a specific obligation to inform your users about the length of time you will keep their data. In your Privacy Policy, you needn’t go into detail about this, other than specifying what the standard practice is for your organisation. It’s important to remember that under the GDPR, you may not keep data any longer than is necessary for the purpose it will be used for. This is specified in principle (e).

Data Protection Officer (DPO)

As detailed in Article 37 of the GDPR, some businesses are required by law to have a designated Data Protection Officer if the processing activities involve certain types of data – mainly special categories of data, or large-scale processing activities.

If your business has a Data Protection Officer (DPO) your privacy policy must provide information on how to contact this person. At a minimum, this information must include the DPO’s address, telephone number and email address, although not the DPO’s name who can be titled as “The Data Protection Officer”.

Under the GDPR, some businesses are required by law to have a designated Data Protection Officer if the processing activities involve certain types of data – mainly special categories of data, or large-scale processing activities.

If your business does not have a Data Protection Officer, you can include contact information for privacy complaints. This should be a separate email address, but you can use your regular physical business address for postal complaints.

Third party disclosure

The GDPR requires you to be fully transparent about how personal data is handled, which means disclosing who the third parties are who you share data with.

This includes any third party who has access to your data for a purpose. If a third party uses the information you collect, you must clearly state this in your Privacy Policy, and if consent is required, you must request it through lawful means.

The most obvious example here for webmasters is Google Analytics, or an online payment processor like Paypal or Stripe. These would need disclosing in your Privacy Policy under the heading ‘third party disclosure’ so the information is easy to find.

It’s important we point out that any third-party disclosure that leaves out who the third parties are is useless and not legally binding. Under the Data Protection Act 2018, your users have the legal right to know who has access to their data and it is your responsibility to disclose that information in your Privacy Policy.

Plain and clear language

Last but not least, your Privacy Policy must be written plainly and clearly. You should not muddle it with legalese, because after all, it should be written for the audience it is intended for.

It is also good practice to itemise your Privacy Policy with jumpable navigation to simplify user experience.


The Information Commissioners’ Office (ICO) Privacy Notice is an excellent example of this, allowing the user to jump to relevant sections at a click.

So, in answer to our original question, yes you can use a Privacy Policy template for your business, but do you know how to dissect your processing activities to be able to interpret these in sufficient detail on the policy? Very often it’s worthwhile enlisting the help of a specialist to help you understand your processing activities and ensure you create a robust policy that covers every conceivable detail to avoid the issues of vagueness and non-compliance.