UK GDPR does not leave the content of a privacy policy to discretion. Articles 13 and 14 specify every element that must be present. Article 13 applies when you collect data directly — contact forms, account sign-ups, purchase flows, cookies. Article 14 applies when you obtain data about someone from a third party, such as buying or renting a mailing list.

Most UK business websites handle direct collection and so Article 13 is the primary obligation. A policy that covers only some of the required elements is non-compliant even if the information it does contain is accurate.

Article 13 checklist

At the point of collection — or before — you must provide all of the following:

  • Identity and contact details of the controller — your business name, registered address, and a contact point for data protection queries. Article 13(1)(a)
  • Contact details of the Data Protection Officer — required only if you have designated one (mandatory for public authorities, and for private organisations whose core activities involve large-scale systematic monitoring or large-scale processing of special category data). Article 13(1)(b)
  • Purposes and lawful basis for processing — for each purpose for which you process personal data, you must state what that purpose is and which of the six Article 6 bases applies to it. Article 13(1)(c)
  • Legitimate interests pursued — if you rely on legitimate interests as your basis, you must name what those interests are. "Business purposes" is not sufficient. Article 13(1)(d)
  • Recipients or categories of recipients — who you share data with. This includes processors (your CRM, email platform, analytics provider) as well as any third parties who receive data in their own right. Article 13(1)(e)
  • International transfers — if personal data leaves the UK, you must state this and identify the safeguard mechanism (adequacy, IDTA, binding corporate rules, etc.). Article 13(1)(f)
  • Retention period — how long you keep each category of data, or the criteria used to determine it. "We keep your data as long as necessary" does not satisfy this requirement. Article 13(2)(a)
  • Data subject rights — you must inform people of their right to access, rectification, erasure, restriction, data portability, and objection. Each right should be briefly explained. Article 13(2)(b)
  • Right to withdraw consent — where you rely on consent, you must tell people they can withdraw it at any time and explain how. Article 13(2)(c)
  • Right to complain to the ICO — you must include this explicitly. The ICO's address and website (ico.org.uk) should be stated. Article 13(2)(d)
  • Whether provision of data is statutory or contractual — and the consequences of not providing it (e.g., you cannot complete a purchase without a delivery address). Article 13(2)(e)
  • Automated decision-making, including profiling — if you make automated decisions with legal or significant effect, you must explain the logic, significance, and likely consequences. Article 13(2)(f)

Common failures in practice

No lawful basis stated

Many privacy policies describe what data is collected but say nothing about why it is lawful to process it. This is one of the most common gaps the ICO identifies. For each processing activity, you need to name the basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests.

Vague retention periods

Phrases like "we retain your data for as long as necessary" appear frequently. They do not satisfy Article 13(2)(a). You need to state either a specific period (e.g., "contact form enquiries are deleted after 12 months") or the criteria you use to determine it (e.g., "data is retained for the duration of the client relationship plus six years for contractual limitation purposes").

No ICO registration number

Many organisations that process personal data in the UK are required to register with the ICO and pay the data protection fee, though a number of exemptions apply — including processing only for staff administration, own business accounts, or not-for-profit activities. The annual fee is £40, £60, or £2,900 depending on your organisation's size and turnover. The ICO's register is searchable at ico.org.uk/ESDWebPages/Search. Including your registration number in your privacy policy demonstrates accountability and is expected practice.

Failing to register with the ICO and pay the data protection fee is an offence under the Data Protection Act 2018. In practice, the ICO typically issues a monetary penalty for the unpaid fee rather than pursuing criminal prosecution. The ICO does identify unregistered organisations and will take action, so registration should not be overlooked.

Data subject rights buried or missing

Listing data subject rights in a single sentence ("you have the right to access, correct, or delete your data") is not sufficient. Each right should be explained and accompanied by a mechanism for exercising it — typically an email address. The right to object and the right to data portability are frequently omitted.

Article 14: indirectly obtained data

If you process data obtained from a third party — a purchased list, a data broker, a partner who shares contact details — Article 14 applies. You must provide the same information as Article 13, plus the source of the data and whether it came from a publicly accessible source. The information must be provided within one month of obtaining the data, not just at the time of first contact.

Does your privacy policy cover every required element?

GDPR Radar checks your policy for the Article 13 elements the ICO expects to see — lawful basis, retention periods, data subject rights, ICO complaint route, and controller identity.

Check whether your privacy policy meets UK GDPR requirements →