UK GDPR Privacy Policy Guide: Key Requirements for Websites and Apps

Why does having a privacy policy matter?

A privacy policy is a legal document that explains how your business collects, uses, shares, and protects personal data from clients, customers, and other website visitors. A clear, accurate privacy policy helps avoid regulatory scrutiny, protects your reputation, and gives stakeholders confidence in your compliance.

A strongly crafted policy helps reduce any risk and helps demonstrate compliance if challenged by the Information Commissioner’s Office (ICO). Additionally, a strong policy helps your business build trust with customers as they are more likely to engage in your business if they understand how their information will be handled. Finally, it is a legal requirement – UK GDPR and the Data Protection Act 2018 make privacy policies compulsory for nearly all businesses handling personal data.

In the UK, both the Data Protection Act 2018 and UK GDPR require businesses to be transparent about their data processing activities. This is usually achieved through a privacy notice which is commonly published on the website or app.

Essentials of a good privacy policy

• What personal data or sensitive you collect– g. names, emails, phone numbers, IP addresses, payment details, customer lists, employee records.
• Why you collect it– e.g. customer orders, marketing, analytics, staff management.
• How you use and share data-Clarify if there is any data shared with third parties or cloud providers, or whether the data is transferred overseas and how it is protected.
• Legal basis for processing-You must reference the “lawful basis” under UK GDPR, such as consent, contract necessity, or legal obligation.
• How you protect data-Describe your security measures and retention periods.
• User rights-Explain how people can access, correct, or delete their data and how to contact you or the ICO.
• Cookies-If your website uses cookies or tracking tools, you must mention this and provide extra detail in your cookie policy.
• Avoid legal jargon– ensure customers can read and understand it easily.

The ICO’s guidance on what to include in your privacy notice offers a helpful checklist to help you ensure your policy is both compliant and practical.

Even if your business does not have a website, you are still obliged to follow privacy laws. E.g. If you collect data by email, include a link to your privacy policy in your communications; or if you communicate with clients via telephone and collect their data over the phone, you have a duty to verbally explain your data practices and provide information on where to find your privacy policy.

Consequences of non-compliance

• Reputational damage: ICO publishes details of certain enforcement actions. Also as part of due diligence, a simple internet search easily reveals any enforcement action against you, thereby scaring away potential customers or investors.
• Enforcement compliance: The ICO can issue enforcement notices requiring you to act accordingly.
• Investigated or fined by the ICO: ICO have the power to issues fines for serious breaches of up to £17.5 million or 4% of your annual worldwide turnover, whichever is higher.

How can Waterfront help you?

• Draft privacy policy notice: we can help you identify what kind of privacy policies you need and tailor according to your business needs.
• Regulatory compliance: help ensure your policy is regulatory compliant and kept up to date.

Want to discuss how we can assist you? Reach out to Andrew Gordon.