Running a Compliant Business

How to Create a Privacy Notice

A step-by-step guide to writing a clear privacy notice that meets the Act and that people can actually understand.

Beginner 14 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What a privacy notice is and why you need one
  • The sections a good notice should include
  • How to write it in plain language
  • Common mistakes to avoid

Overview

A privacy notice is the plain-language statement that tells people how your business collects, uses, shares, and protects their personal data. It is one of the most visible signs that you take data protection seriously, and for most businesses it is the natural first step.

Why this matters

Being transparent is a core part of the first standard (), and the right to be informed is one of the data subject rights in the Act. A clear notice builds trust and reduces complaints, because people understand what to expect.

What to include

A good privacy notice usually covers:

  • Who you are. Your business name and how to contact you about privacy.
  • What data you collect. The categories of personal data, including any sensitive data.
  • Why you collect it. The purposes and your lawful basis.
  • Who you share it with. Processors, partners, or authorities, where relevant.
  • How long you keep it. Your retention approach.
  • People's rights. How they can access, correct, or object.
  • International transfers. If you use overseas tools or storage.
  • How to complain. Including the role of the Office of the Information Commissioner.
Tip. Write for a customer, not a lawyer. Short sentences, plain words, and concrete examples beat dense legal text every time.

How to write it

  1. List the personal data your business actually collects and why.
  2. Note who you share it with and where it is stored.
  3. Draft each section in plain language using the list above.
  4. Have someone outside your team read it. If they are confused, simplify.
  5. Publish it somewhere easy to find and keep it up to date.
Watch out. Do not describe practices you do not follow. A notice that promises things you do not do is worse than none, because it is inaccurate and misleading.

Good and bad examples

  • Good. "We use your email address to send your order updates and, if you opt in, occasional offers. You can unsubscribe at any time."
  • Bad. "We may process your data for various business purposes in accordance with applicable law." (Vague and unhelpful.)

Common mistakes

  • Copying a generic template that does not match your business.
  • Hiding the notice or making it hard to find.
  • Writing it once and never updating it as your business changes.

Best practices

  • Keep it specific to what your business really does.
  • Review it whenever you add a new tool, partner, or data use.
  • Link it wherever you collect personal data.

Put this into practice

Answer a few questions about your business and generate a privacy notice tailored to your sector.

Launch the Privacy Notice Generator

Frequently asked questions

Yes. If you collect personal data, you should tell people how you use it, regardless of your size.

Key takeaways

  • A privacy notice tells people how and why you use their personal data.
  • Almost every business that handles personal data needs one.
  • It should be clear, specific, and easy to find.
  • The generator can produce a tailored notice in minutes.

Related

Ask the Privacy Assistant

Beta