Do you need a privacy policy and what should it include?

Under the EU General Data Protection Regulation (GDPR) you must provide a privacy notice if you collect, use or process personal data of European citizens. Individuals have the “right to be informed” and since there is a transparency requirement under the GDPR, they should be told what personal data organisations process and why. A privacy notice on your website is essential.



To avoid confusion (as I still see a lot of it across the internet). Personal data includes any information that relates to an identified or identifiable living individual. It doesn’t matter if that email address is a business email address it is still personal data if it includes an individual’s name.

Too many businesses have said they do not process data as they do not send any marketing, processing data isn’t just about any marketing you send. Processing data includes collecting, recording, organising, structuring, storing, modifying, consulting, using, and destroying data. I am assuming you actually have clients, suppliers, customers or referral partners? In that case you process personal data and by law need to have a privacy notice.

Your Privacy Policy is the legal document that must state how your company or website collects, handles and processes personal data. Your privacy policy lets your website visitors know what type of data you’re collecting, and also what you’re doing with that data. Be clear on who the policy to applies to, employees? Suppliers? Customers? It should also include information about how you’re collecting data, your policy for storing customer data and where the data is being stored.

The elements of a GDPR compliant privacy policy are:

  • Who is collecting the data? Yourself, maybe a third party?
  • What data is being collected? Be as clear as you can, break it down, if you collect DOB’s, tell them. Remember you should only collect data that you ACTUALLY need.
  •  Why you collect personal data? You must also explain why you need that personal data, if it’s to process orders (sounds obvious), tell them. If it’s to respond to enquiries, complaints or general feedback, tell them. If you run a loyalty programme, again tell them.
  • What is the legal basis for processing the data? Find out which one here …
  • Will the data be shared with any third parties? Do you use a VA, a crm system and marketing platform? Examples might include Google Analytics to understand website visitors, or AdSense for personalised advertising.
  • How will the information be used? If you are tracking buying habits to be clever with your marketing, tell them. It could just be as simple as to provide customer services, or enable them access with payment services. You must spell it all out in your privacy policy.
  • How long will the data be stored for? Remember be specific, holding data forever isn’t ok (I know many do)
  • What rights does the data subject have? These can be found here X
  • How can the data subject raise a complaint? What is your complaint process and be sure to include the ICO’s details also.

A privacy policy does not need to be complicated. It should be easy to understand and kept as short as possible. Make sure it is available on the footer of your website and is available on every page.



Having a privacy policy does not make you GDPR compliant, a privacy policy is just a legal requirement. A well-drafted Privacy Policy is a good start to handling your customer’s personal data well and will help you enact better information protection practices. You must be mirroring what your privacy policy says in your business processes to ensure GDPR compliance.