The ESSENTIAL info every privacy policy should have


Laura Daniel, co-founder at We Grow Startups,


If your website collects data from UK or EU citizens, your privacy policy must be GDPR* compliant. Basically, you need to tell them in clear, plain language:

  • What data you collect and why
  • Who you share that data with
  • How you treat the data (storage, retention, transfer, security)
  • The rights of your data subjects

*Post brexit, the UK is governed by the Data Protection Act 2018 and in practice there is little difference between this and the EU GDPR.

We get it, this sounds like a lot of work so that’s why we recommend Rocket Lawyer’s tool to create a fully customised privacy policy - find it here! You’ll have a policy ready to upload to your website within the hour.

The breakdown below will help you understand what info you need to provide and why:

  1. Identity and Contact Details: Clearly mention the name and contact details of your business and the Data Protection Officer (if applicable).
  2. Data you collect and how: List what data points you collect (personal identifiable data, cookies etc.) and through what methods i.e. sign up form, check out, cookie notice
  3. Purpose and Legal Basis for Processing: Describe the purposes for which you are collecting and processing personal data and the legal basis for this processing. The ICO has some great guidance on this here.
  4. Data Recipients: Mention any third parties or categories of third parties with whom you will share personal data.
  5. Data Transfer: Describe if you intend to transfer personal data outside the EU/EEA and the legal safeguards in place for these transfers. It’s worth checking the platform(s) you use to share or store data and where they house it.
  6. Data Retention: Explain how long you will store the personal data, or if that is not possible, the criteria used to determine this period. If you’re using a CRM database, this will make it easy for you to define a set period.
  7. Rights of Data Subjects: Clearly state the rights of the data subjects, such as the right to access, rectify, or erase their personal data, the right to restrict or object to processing, and the right to data portability.
  8. Right to Withdraw Consent: If the processing is based on consent, inform the data subjects of their right to withdraw consent at any time.
  9. Right to Lodge a Complaint: Inform data subjects of their right to lodge a complaint with a supervisory authority.
  10. Automated Decision Making: If you use automated decision-making or profiling, inform data subjects about this and explain the logic involved and the significance and consequences of the processing. This could be an email marketing platform or ecommerce platform.
  11. Security Measures: Explain the security measures you have in place to protect personal data.
  12. Children's Data: If your website collects data from children, make sure to include information about parental consent and how it is obtained.
  13. Updates to the Privacy Policy: Inform users how they will be notified of any updates to the privacy policy.

And that's another thing done.

Any problems? Just shoot me an email at