GDPR and Data ProtectionUnited Kingdom

Free Privacy Policy
Template (UK GDPR)

Create a comprehensive privacy policy compliant with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and PECR. Suitable for websites, apps and online services operating in the United Kingdom.

Create Your Privacy Policy → Free to use · Instant PDF · No account required

What Is a Privacy Policy?

A privacy policy is a legal document that explains how an organisation collects, uses, stores and shares personal data. In the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 require every organisation that processes personal data to provide individuals with clear, accessible information about its data handling practices.

Privacy policies are essential for any website, mobile application or online service that collects personal information from users in the UK. Whether you gather names and email addresses through a contact form, track browsing behaviour with cookies, or process payment details for transactions, you are legally required to tell individuals what data you collect, why you collect it, how long you keep it, and who you share it with.

A well-drafted privacy policy builds trust with your users and demonstrates your organisation's commitment to data protection. It also helps you comply with the transparency requirements of UK GDPR, reducing the risk of enforcement action by the Information Commissioner's Office (ICO) and protecting your organisation from regulatory fines and reputational damage.

What's Covered in This Template

Doxuno's UK Privacy Policy template covers all the essential elements required under UK GDPR and the Data Protection Act 2018. Each section can be customised to reflect your organisation's specific data processing activities.

Organisation Details
Data controller identity, registered address, DPO and contact information
Data Collection Categories
Types of personal data collected including identity, contact, technical and financial data
Purposes of Processing
Why personal data is collected and how it is used by your organisation
Lawful Basis for Processing
UK GDPR Article 6 lawful bases: consent, contract, legitimate interests and more
Data Retention Periods
How long personal data is stored and criteria for determining retention
Third-Party Data Sharing
Service providers, processors and other parties who receive personal data
International Data Transfers
Safeguards for transfers outside the UK including adequacy decisions and SCCs
Individual Rights
Data subject rights under UK GDPR including access, rectification and erasure
Cookie Policy
PECR-compliant cookie disclosures, categories and consent mechanisms
Security Measures
Technical and organisational measures to protect personal data
Data Breach Procedures
Notification procedures to the ICO and affected individuals within 72 hours
Complaints and ICO Contact
How to lodge a complaint with your organisation and the Information Commissioner

How to Create a Privacy Policy

Creating a UK GDPR-compliant privacy policy requires a clear understanding of your organisation's data processing activities. Our template guides you through each section with clear prompts and explanations. Follow these steps to build a comprehensive privacy policy for your website or business.

1
Enter Organisation Details
Provide your organisation's full legal name, registered address, contact email and website URL. If you have appointed a Data Protection Officer (DPO) or an EU/UK representative, include their contact details. This information is required under UK GDPR Articles 13 and 14.
2
Specify Data Collection Practices
Describe the categories of personal data you collect, such as names, email addresses, IP addresses, payment information and browsing behaviour. Explain how and when data is collected, including through website forms, account registration, cookies, analytics tools and third-party integrations.
3
Identify the Lawful Basis and Retention
Select the lawful basis for each processing activity under UK GDPR Article 6. Common bases include consent for marketing emails, contractual necessity for order processing, and legitimate interests for analytics. Set data retention periods for each category, ensuring you do not keep data longer than necessary.
4
Detail Data Sharing and Transfers
List any third parties with whom you share personal data, including hosting providers, payment processors, email marketing services and analytics platforms. If you transfer data outside the UK, explain the safeguards you have in place, such as UK adequacy decisions, standard contractual clauses or binding corporate rules.
5
Review and Publish
Review your privacy policy for completeness and accuracy. Ensure it covers individual rights under UK GDPR, your cookie practices compliant with PECR, security measures, and data breach notification procedures. Publish the policy prominently on your website, link to it in your footer and cookie banner, and keep it updated as your data practices evolve.

Legal Considerations for UK Privacy Policies

Privacy policies in the UK operate within a comprehensive data protection framework. Understanding the key legislation and regulatory requirements helps you draft a policy that is both compliant and practical for your organisation.

Important: This template is provided for informational purposes and does not constitute legal advice. For complex data processing activities or organisations handling sensitive personal data, consult a solicitor or data protection specialist.

Reviewed by legal professionals. The content on this page and the template clauses have been reviewed by licensed solicitors in England and Wales to ensure accuracy and compliance with current UK data protection legislation.

UK GDPR and the Data Protection Act 2018

The UK General Data Protection Regulation (UK GDPR) is the primary legislation governing personal data processing in the United Kingdom. It was retained in UK law after Brexit through the European Union (Withdrawal) Act 2018 and is supplemented by the Data Protection Act 2018, which provides UK-specific provisions. Together, these laws set out the principles for processing personal data, the rights of individuals, and the obligations of data controllers and processors.

Privacy and Electronic Communications Regulations (PECR)

The Privacy and Electronic Communications Regulations 2003 (PECR) sit alongside UK GDPR and specifically govern electronic communications. PECR requires you to obtain consent before sending marketing emails or text messages, and to inform users about cookies and similar technologies used on your website. Your privacy policy should address your cookie practices, including the types of cookies used, their purposes, and how users can manage their cookie preferences.

Information Commissioner's Office (ICO)

The ICO is the UK's independent supervisory authority for data protection. It enforces compliance with UK GDPR, the Data Protection Act 2018 and PECR. The ICO has the power to issue enforcement notices, impose fines of up to 17.5 million GBP or 4% of annual global turnover, conduct audits, and investigate complaints from individuals. Your privacy policy must inform users of their right to lodge a complaint with the ICO.

Data Breach Notification

Under UK GDPR, you must report certain types of personal data breaches to the ICO within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the breach is likely to result in a high risk, you must also notify the affected individuals without undue delay. Your privacy policy should explain your organisation's data breach procedures and how affected individuals will be informed.

Frequently Asked Questions

A privacy policy is a legal document that explains how your organisation collects, uses, stores and shares personal data. Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, any organisation that processes personal data of individuals in the UK must provide clear, transparent information about its data processing activities. Without a privacy policy, your organisation is in breach of the transparency principle and could face enforcement action from the Information Commissioner's Office (ICO).
Privacy policies in the UK are primarily governed by three pieces of legislation: the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR). UK GDPR sets out the core principles for processing personal data and individual rights. The Data Protection Act 2018 supplements UK GDPR with UK-specific provisions. PECR specifically covers electronic marketing, cookies and similar technologies.
A UK GDPR-compliant privacy policy must include: your organisation's identity and contact details, the Data Protection Officer's details (if applicable), the categories of personal data collected, the purposes of processing, the lawful basis for each processing activity, data retention periods, details of any data sharing with third parties, information about international transfers, individual rights under UK GDPR, cookie information compliant with PECR, and how to make a complaint to the ICO.
Yes. Under the Privacy and Electronic Communications Regulations 2003 (PECR), you must inform users about the cookies you use and obtain consent for non-essential cookies. Even if your website only collects data through cookies without forms or user accounts, you are still processing personal data such as IP addresses and browsing behaviour, which triggers the requirements of UK GDPR. A privacy policy is therefore essential to explain your cookie practices and meet your transparency obligations.
Under UK GDPR Article 6, you must identify a lawful basis for every processing activity before it begins. The six lawful bases are: consent (the individual has given clear agreement), performance of a contract (processing is necessary to fulfil a contract), legal obligation (processing is required by law), vital interests (to protect someone's life), public task (for official functions), and legitimate interests (for your or a third party's interests, balanced against the individual's rights). Your privacy policy must state which basis applies to each type of processing.
UK GDPR grants individuals several rights over their personal data: the right of access (to obtain a copy of their data), the right to rectification (to correct inaccurate data), the right to erasure (the right to be forgotten), the right to restrict processing, the right to data portability (to receive data in a portable format), the right to object to processing, and rights related to automated decision-making and profiling. Your privacy policy must explain each of these rights and how individuals can exercise them.
Failing to provide a privacy policy is a breach of the transparency principle under UK GDPR. The Information Commissioner's Office (ICO) can take enforcement action including issuing warnings, reprimands, enforcement notices, and substantial fines of up to 17.5 million GBP or 4% of your annual global turnover, whichever is higher. Beyond regulatory penalties, the absence of a privacy policy erodes customer trust, damages your brand reputation, and may expose your organisation to claims from individuals whose rights have been infringed.
You should review and update your privacy policy whenever there is a material change in your data processing activities. This includes adding new services, changing third-party providers, expanding into new markets, or responding to changes in data protection law. As a best practice, review your privacy policy at least once a year. When you make updates, clearly indicate the date of the latest revision and consider notifying users of significant changes through your website or email.

Create Your UK Privacy Policy Today

Generate a comprehensive, UK GDPR-compliant privacy policy in minutes. Our template covers data collection, lawful basis, individual rights, cookies and security measures for websites and online services.

Create Your Privacy Policy → Browse All Templates

Free · Instant PDF · No account required