Is a UK privacy policy different from an EU GDPR privacy policy?

Substantively the disclosures match (UK GDPR Article 13 mirrors EU GDPR Article 13). Structurally they differ in four places that matter: the regulator (Information Commissioner's Office, not an EU DPA), the legal citation (UK GDPR plus DPA 2018, not EU GDPR), the trader-identification disclosures (Companies House registration plus the E-Commerce Regulations 2002 geographic address), and the international transfer mechanism (UK Addendum to EU SCCs plus the UK-US Data Bridge, not the raw EU SCCs).

Do I need a UK Representative under Article 27 UK GDPR?

Only if you are a non-UK business that targets UK individuals. A UK-established business does not need one. If your privacy policy is being drafted for a UK-established business, the UK Representative section does not apply. If you are an EU, US or other non-UK business with UK customers or UK-targeted advertising, you need a UK Representative and their identity belongs in the privacy notice.

What changed in UK privacy notices after DUAA 2025?

Three changes matter. The regulator was renamed from the Information Commissioner's Office to the Information Commission, although the website at ico.org.uk continues to operate. The list of recognised legitimate interests was formalised, which lets controllers rely on Article 6(1)(f) for a small number of public-interest purposes without a full balancing test. The international transfer framework moved to data bridges. Most privacy notices need only minor wording updates to reflect these changes.

Can I use a privacy policy generator for my UK website?

Yes, for a typical UK small business website with standard processing activities (contact forms, newsletter signups, order processing, analytics with consent). The generator output should be reviewed against the specific third parties your site loads. If your site processes special category data under UK GDPR Article 9 (health, biometric, religious or political), or you operate in a regulated sector such as financial services or healthcare, generator output should be treated as a starting point for legal review.

GDPR & Privacy

How to Write a UK Privacy Policy: Generator and Guide

Steven | TrustYourWebsite · 15 May 2026 · Last updated: May 2026

A UK privacy policy is a legal requirement under UK GDPR Article 13 and Article 14, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR) for cookies and electronic marketing. The substance is similar to an EU privacy policy. The differences are operational, the regulator is the Information Commissioner's Office (ICO), the legal citation is UK GDPR and the trader identification follows Companies House rules rather than EU equivalents. This guide covers what a UK privacy policy must contain and how to generate one in 15 minutes.

For a scan that identifies the third parties your site actually loads (so the policy can name them all), run a free check at /uk/en/scan.

Does your UK privacy policy match what your site actually does?

Our scanner identifies the third-party services your site loads so your privacy notice can name them all.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

When a UK website collects personal data directly from a visitor, Article 13 lists the disclosures that must be provided. The table below maps each requirement to where it lives in the privacy notice.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Article 13 requirement</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Where it appears in a UK notice</th> <th className="border border-slate-300 px-3 py-2 font-semibold">UK-specific detail</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Identity and contact details of the controller</td> <td className="border border-slate-300 px-3 py-2">Top section</td> <td className="border border-slate-300 px-3 py-2">Include Companies House number, registered office and a working email under E-Commerce Regs 2002.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">DPO contact details</td> <td className="border border-slate-300 px-3 py-2">Top section (if appointed)</td> <td className="border border-slate-300 px-3 py-2">Most UK SMEs do not need a DPO under Article 37. If you have one, name them.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">UK Representative (Article 27)</td> <td className="border border-slate-300 px-3 py-2">Top section (non-UK controllers only)</td> <td className="border border-slate-300 px-3 py-2">Non-UK businesses targeting UK individuals need a UK rep. Name them.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Purposes of processing and lawful basis</td> <td className="border border-slate-300 px-3 py-2">Main body, one block per purpose</td> <td className="border border-slate-300 px-3 py-2">Cite UK GDPR Article 6. For special-category data add Article 9 plus the DPA 2018 Schedule 1 condition.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Recipients or categories of recipients</td> <td className="border border-slate-300 px-3 py-2">Main body</td> <td className="border border-slate-300 px-3 py-2">Name the actual third parties (hosting, email, payment, analytics, chat).</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">International transfers and safeguards</td> <td className="border border-slate-300 px-3 py-2">Main body</td> <td className="border border-slate-300 px-3 py-2">UK Addendum to EU SCCs or IDTA. UK-US Data Bridge for certified US recipients.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Retention periods</td> <td className="border border-slate-300 px-3 py-2">Main body</td> <td className="border border-slate-300 px-3 py-2">Specific timeframes per category. "As long as necessary" fails the test.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Data subject rights</td> <td className="border border-slate-300 px-3 py-2">Rights section</td> <td className="border border-slate-300 px-3 py-2">Access, rectification, erasure, restriction, portability, objection plus how to exercise each.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Right to withdraw consent</td> <td className="border border-slate-300 px-3 py-2">Rights section</td> <td className="border border-slate-300 px-3 py-2">Required if any processing relies on consent (analytics cookies, marketing emails).</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Right to complain to the ICO</td> <td className="border border-slate-300 px-3 py-2">Rights section</td> <td className="border border-slate-300 px-3 py-2">Link to <a href="https://ico.org.uk/concerns">ico.org.uk/concerns</a>. Not an EU DPA.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Statutory or contractual requirement to provide data</td> <td className="border border-slate-300 px-3 py-2">Per-purpose disclosure</td> <td className="border border-slate-300 px-3 py-2">Mark which fields are optional vs. required.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Automated decision-making and profiling</td> <td className="border border-slate-300 px-3 py-2">Main body if applicable</td> <td className="border border-slate-300 px-3 py-2">Required where the decision has legal or similarly significant effects.</td> </tr> </tbody> </table> </div>

The UK divergences that matter

A UK privacy notice differs from an EU GDPR privacy notice in four places. Getting these right is what separates a copy-pasted EU policy from a genuine UK-aware one.

The regulator. The Information Commissioner's Office in Wilmslow, not the EDPB or an EU member-state DPA. After the Data (Use and Access) Act 2025, the ICO was formally renamed the Information Commission, although the public-facing site at ico.org.uk and the complaint routes are unchanged. Privacy notices should refer to the ICO or the Information Commission by current name and link to ico.org.uk/concerns for complaints.

The lawful framework. UK GDPR is the retained version of EU Regulation 2016/679, amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, the DPA 2018 and the DUAA 2025. The text reads very similarly to EU GDPR but UK case law and ICO guidance have started to diverge. The privacy notice should cite "UK GDPR" rather than "GDPR" where the distinction matters. See UK GDPR vs EU GDPR after Brexit for the substantive differences.

Trader identification. UK limited companies must display their registered company name, registration number, place of registration and registered office address on every page of their website. These come from the Companies (Trading Disclosures) Regulations 2008. The E-Commerce Regulations 2002 add a geographic address and a direct contact email. The privacy notice typically picks up these details in its controller-identity section. See Companies House website disclosures for the full disclosure framework.

International transfers. UK controllers transferring personal data abroad use the UK Addendum to the EU SCCs or the International Data Transfer Agreement (IDTA), not the raw EU SCCs. The UK-US Data Bridge is in force since 12 October 2023 and lets UK controllers transfer data to certified US recipients without additional safeguards, mirroring the EU-US Data Privacy Framework. Privacy notices for UK-targeted sites should mention IDTA or the UK Addendum where any cross-border transfer is involved.

PECR sits alongside the privacy notice

UK GDPR Article 13 does not exhaust the disclosure requirements. The Privacy and Electronic Communications Regulations 2003 add separate consent rules for cookies (Regulation 6) and electronic marketing (Regulation 22). The privacy notice typically links to a cookie banner that handles PECR Regulation 6 and the marketing-consent capture happens at signup rather than in the policy itself.

For the cookie-side requirements, see PECR cookie rules in the UK. For marketing-consent and the soft opt-in, see legitimate interests for UK marketing.

Common UK privacy-notice failings

The ICO's published reprimands and monetary penalty notices reveal which failings actually trigger enforcement. The pattern is consistent.

For the full audit perspective on what the ICO checks during an investigation, see what the ICO actually checks on your website.

Drafting the UK notice: section by section

The structure that meets every Article 13 requirement and reads well to a UK SME audience runs as follows.

1. Who we are. Registered company name, Companies House number, place of registration, registered office address, trading address if different, direct contact email. For sole traders, the full personal name plus business name and a geographic address. If a DPO is appointed, list their contact details. For non-UK controllers targeting UK individuals, list the UK Representative.

2. What data we collect and why. A table covering each processing activity with the data fields, purpose, lawful basis (UK GDPR Article 6) and any special-category condition (Article 9 plus Schedule 1 DPA 2018). Group by purpose, not by data field.

3. Who we share data with. Name each third party that receives personal data. Hosting provider, email service, payment processor, analytics tool, chat widget, CRM, marketing automation. For each, note whether the transfer is to a UK-adequate country or whether the UK-US Data Bridge, IDTA or UK Addendum applies.

4. How long we keep data. Specific retention periods per category. Booking records: 12 months. Email subscribers: while consent is active. Payment records: 6 years for HMRC. CCTV: 30 days. Marketing-consent logs: 2 years after unsubscribe. Server logs: 30 days.

5. Your rights. UK GDPR Articles 15-22 rights: access, rectification, erasure, restriction, portability, objection. Plus the right to withdraw consent for consent-based processing and the right to lodge a complaint with the ICO.

6. Cookies. A short summary plus a link to the cookie banner or a separate cookie policy. The cookie banner handles the PECR Reg 6 consent capture.

7. Changes to this notice. State that the notice may be updated and how visitors will be informed (typically a banner notice when material changes are made plus a "last updated" date).

For the complete Article 13 disclosure list with examples, see privacy policy requirements under UK GDPR.

When generator output is enough vs. when to take legal advice

A UK privacy policy generator covers the common cases well. Take legal review when the situation involves any of the following.

Special-category data processing under UK GDPR Article 9 (health, biometric, genetic, sexual orientation, religious or political beliefs, trade-union membership). A relevant DPA 2018 Schedule 1 condition must be identified for each special-category purpose.

Criminal-conviction data under UK GDPR Article 10. This needs a separate DPA 2018 condition under section 10 and Schedule 1 Part 2.

Children's data. The UK age of digital consent under DPA 2018 section 9 is 13, lower than the EU default of 16. Services likely to be accessed by children need to consider the ICO's Age Appropriate Design Code.

Regulated sectors. Financial services (FCA), healthcare (CQC and the NHS information governance framework), legal services (SRA), education (DfE and Ofsted) all have sector-specific data-protection rules that interact with UK GDPR.

Profiling or large-scale automated decision-making. Article 22 UK GDPR has explicit safeguards that must appear in the privacy notice.

Large-scale processing or DPO appointment. If Article 37 requires a DPO, the notice must list them and the DPO should be involved in policy drafting.

What DUAA 2025 changed for privacy notices

The Data (Use and Access) Act 2025 amended UK GDPR in a small number of targeted ways. For privacy-notice drafting, three changes matter.

First, the regulator was renamed the Information Commission. Existing notices that say "Information Commissioner's Office" remain accurate because the underlying entity is the same body. Updating to "Information Commission" at the next review is sufficient.

Second, a list of recognised legitimate interests was formalised. For most commercial websites this changes nothing because the recognised list covers public-interest purposes (safeguarding, crime prevention, certain research) rather than commercial purposes. Marketing and analytics still need a documented LIA under Article 6(1)(f).

Third, the international transfer framework moved to a data-bridges system. Existing UK Addendum and IDTA arrangements continue under transition rules. Future transfers may rely on designated data bridges as the Secretary of State adds them.

For the full DUAA 2025 picture see DUAA 2025 changes for UK websites.

Keep it current

A privacy notice that describes the site as it was 18 months ago is a transparency failure regardless of how thorough it looked when written. Review the notice at every change to the site's tool stack: adding analytics, switching email providers, installing a chat widget, embedding new third-party scripts. A scheduled annual review is the minimum.

For a current view of the third parties your site actually loads, run a free scan at /uk/en/scan. For the broader UK compliance posture, see GDPR compliance for UK businesses.

This is technical analysis, not legal advice. For UK businesses processing special-category data, operating in regulated sectors or facing an active ICO enquiry, consult a solicitor or DPO with UK GDPR experience.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

GDPR Compliance Checklist for Your Website (2026)

A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.

Cookie Banner Requirements Under EU Law (2026 Guide)

Cookie banner requirements in the EU 2026: reject equal to accept, no dark patterns, prior consent. EDPB Guidelines 05/2020 explained.

UK website privacy notice requirements after DUAA (2026)

The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

What the ICO Actually Checks on Your Website in 2026

Concrete list of what the ICO checks when a complaint about your UK website lands on its desk. Cookie banner, privacy notice, SAR, breach notification.