UK GDPR compliant

GDPR Privacy Policy Template for UK Businesses

Every UK business that processes personal data needs a data protection policy. The UK GDPR and Data Protection Act 2018 require you to be transparent about how you collect, use, store, and share personal data — including employee data.

The 7 data protection principles

Under Article 5 of the UK GDPR, all personal data must be processed in accordance with these principles:

Lawfulness, fairness and transparency

You must have a lawful basis for processing and be transparent about what you do with data.

Purpose limitation

Data must be collected for specified, explicit and legitimate purposes only.

Data minimisation

Only collect data that is adequate, relevant and limited to what is necessary.

Accuracy

Personal data must be accurate and kept up to date.

Storage limitation

Data must not be kept longer than necessary for the purpose it was collected.

Integrity and confidentiality

Data must be kept secure with appropriate technical and organisational measures.

Accountability

You must be able to demonstrate compliance with all these principles.

What your GDPR policy must cover

✓Data controller details and contact information

✓Categories of personal data you process

✓Lawful basis for each processing activity (Article 6)

✓Special category data processing (Article 9) — health, criminal records, etc.

✓Data subject rights — access, rectification, erasure, portability, objection

✓Data retention periods for each category of data

✓Data security measures — technical and organisational

✓Data breach notification procedure (72 hours to ICO)

✓Data Protection Impact Assessments (DPIAs)

✓International data transfers and safeguards

✓Third-party processors and data sharing agreements

✓Staff training and awareness programme

✓Subject Access Request (SAR) process — respond within 1 month

✓How to make a complaint to the ICO

ICO enforcement — the penalties

The Information Commissioner's Office (ICO) can impose significant fines for GDPR breaches:

Standard maximum: £8.7 million or 2% of annual global turnover

Higher maximum: £17.5 million or 4% of annual global turnover

Generate your GDPR policy now

UK GDPR and DPA 2018 compliant. Tailored to your data processing activities and business size.

Generate GDPR Policy →