HomeGuides › Do you need a privacy policy in the UK?

Do you need a privacy policy in the UK?

Updated 3 July 2026 · Policy Mind guides

If your business handles any personal data — customer names, emails, delivery addresses, staff records, CCTV footage — then yes. UK GDPR and the Data Protection Act 2018 require you to tell people, clearly and up front, what you do with their data. There is no small-business exemption.

Privacy notice vs privacy policy

People use "privacy policy" loosely for two different documents:

What your privacy notice must cover

UK GDPR is specific about the minimum contents. In plain English:

Don't forget the ICO fee and cookies

Most UK organisations that process personal data must also pay the ICO's data protection fee unless exempt — it's a legal requirement separate from your documents, and the ICO does issue fines for not paying. And if your website sets cookies or trackers, PECR requires a cookie notice and consent before non-essential cookies fire — that's a separate document from your privacy notice.

Copying a template is where it goes wrong

A pasted template that names the wrong company, lists data you don't collect, or misses what you actually do is arguably worse than nothing — it's evidence you didn't engage with the duty. Your notice has to describe your data flows: what your forms collect, which tools you use, where the data goes.

Read next: what policies does a small business need?

Free 2-minute check See exactly which policies your business needs
Run the free check