GDPR

What to include in a GDPR-compliant privacy policy

6 min read ·26 April 2026 ·By Trust Center

Under GDPR, a privacy policy is not optional. It is a legal requirement — the primary mechanism through which you fulfil your obligation to be transparent with individuals about how you process their personal data. Most small businesses have a privacy policy, but many of them fall short of what the regulation actually requires.

The required sections

GDPR Articles 13 and 14 set out precisely what information you must provide to people when you collect their data. These are the sections your privacy policy must include:

  • Who you are. Your legal name, trading name, and contact details. If you have a Data Protection Officer, their contact details too.
  • What data you collect. Describe the categories of personal data you process: names, email addresses, payment information, IP addresses, behavioural data, and so on.
  • Why you collect it. For each processing activity, you must state the purpose — account management, marketing, order fulfilment, analytics — and the lawful basis you rely on.
  • How long you keep it. Retention periods should be specific where possible. "We keep your data for as long as necessary" is not sufficient.
  • Who you share it with. Name your third-party processors — email platforms, payment processors, analytics tools, CRMs. You do not need to list every sub-processor but you must describe the categories.
  • Transfers outside the UK/EU. If any of your processors are in non-adequate countries (most notably the US), you must explain the safeguards in place — typically Standard Contractual Clauses.
  • Individual rights. You must inform people of their rights: access, rectification, erasure, restriction, portability, and the right to object.
  • How to complain. You must tell people they have the right to lodge a complaint with a supervisory authority, and provide the authority's details.

What you must tell users about data processing

Each processing activity should be clearly described. A useful format is a table with columns for: data category, purpose, lawful basis, retention period, and third parties involved. This makes it easy for both users and regulators to understand exactly what you do with data.

The lawful basis section is where many businesses go wrong. Listing "legitimate interests" for everything is a red flag. Marketing emails require consent. Contract fulfilment requires the contract basis. Legal obligations require their own basis. Each activity should have the correct, specific basis stated.

Common mistakes to avoid

The most common privacy policy failures regulators see in small business audits are: policies that describe processes the business does not actually follow; policies copied from another business without customisation; missing retention periods; vague descriptions of data sharing; and no mechanism for users to exercise their rights.

A good privacy policy is a living document. Every time you add a new tool to your tech stack — a new email platform, a CRM, an analytics service — your privacy policy needs to be updated to reflect it. Treat it as operational documentation, not a one-time legal box to tick.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

GDPR

What is GDPR and does it apply to my online business?

The General Data Protection Regulation applies to far more businesses than most people realise. Here's what you need to know — and why it matters even if you're a small operator.

5 min read · 26 April 2026
GDPR

Legitimate interests vs consent: which legal basis do you actually need?

Choosing the wrong lawful basis is one of the most common GDPR mistakes small businesses make. Here's how to tell the difference and get it right.

5 min read · 26 April 2026