How To Write a GDPR-Compliant Privacy Notice (Free Checklist and Examples)

If your business collects personal information – even something as simple as a name and email address – you’re legally required to tell people what you’re doing with it. This is where your privacy notice comes in.

A clear, GDPR-compliant privacy notice isn’t just about ticking a legal box. It’s a chance to show your customers you understand your legal obligations and operate transparently. Done right, it builds trust, answers questions before they’re asked, and helps you stay on the right side of the law.

In this article, we’ll walk you through what a privacy notice is, how to prepare for writing one, and what you need to include to meet UK GDPR requirements. We’ve also included real-world examples, common mistakes to avoid, and a free privacy notice checklist to help you get it right and, if you need further information, we have some further training available from our website.

What is a Privacy Notice?

A privacy notice is ideally a short, clear statement that explains how your business collects, uses, stores and shares personal data. It must be given to people at the time, or before you collect their data where you are collecting data directly from them. There are slightly different rules where you have obtained personal data from a third party.

You’ll often see the term privacy policy used online. While the two terms are sometimes used interchangeably, they can be used for different things by some organisations. It’s therefore important to be aware of potential differences and make sure you understand which document you’re producing and for which purpose.

Privacy Notice vs Privacy Policy

• A privacy notice is the term typically used where you are providing information for your customers, website users, and anyone else whose data you collect. It’s outward-facing, and its purpose is to inform people how their data will be used.
• A privacy policy can be used by some to indicate a privacy notice although is more commonly an internal policy document. It sets out how your business manages data behind the scenes, and is usually used by staff, management, or advisors.

At Tkm & Associates, we use the term “privacy notice” when referring to the document that businesses are legally required to provide under UK GDPR. That’s what this article focuses on.

How to Prepare Before Writing Your Privacy Notice

Before you start drafting your privacy notice, take a step back and look at the bigger picture. To write something that’s accurate and GDPR-compliant, you first need to understand how personal data flows through your business.

This doesn’t need to be technical or time-consuming, but it does need to be honest and specific. A common mistake small businesses make is using a generic template that doesn’t reflect what they actually do. That can leave you exposed to complaints, confusion, or worse, non-compliance. Here’s a simple step-by-step plan to help you get the foundations right:

Step 1: List What Personal Data You Collect

Start with the basics. Think about the different ways you collect information, for example, online forms, emails, bookings, purchases, enquiries, events, etc.

Write down what you collect (e.g. names, email addresses, payment details, health information) and who you collect it from (e.g. customers, newsletter subscribers, employees, suppliers).

Step 2: Clarify Why You Collect It

Ask yourself: why do we need this data? Be clear about the purpose, such as fulfilling orders, managing bookings, sending marketing emails, or meeting legal obligations like HMRC record-keeping. If you find that you don’t need some of the data you’re collecting, make sure you change your collection processes.

Step 3: Map Where It Goes

Where does that information go once you’ve collected it? Think about:

• Where you are going to hold or store the data, for example, in files or folders within Google docs, Dropbox, One Drive or another type of filing structure
• Third-party tools (like Mailchimp, Stripe, or your website booking system)
• Contractors or service providers (e.g. payroll support or IT companies)
• Internal storage (laptops, cloud drives, notebooks)

Step 4: What Will You Be Using It For

Think through what your business actually does with the data you collect. This will shape both the content of your privacy notice and your legal basis for processing.

Examples might include:

• Managing customer relationships
• Providing goods or services to individuals
• Managing bookings or appointments
• Administering contracts
• Managing staff or supplier records
• Sending service or marketing communications

Being specific at this stage helps ensure your privacy notice reflects real practices and avoids vague or catch-all wording.

Step 5: Note How Long You Keep It

Do you delete data after it’s used, or do you keep it for a set period? Different types of data may need different retention times – for example, marketing consent vs employee records.

Step 6: Check Who Has Access

Is access limited to specific team members, or is data shared across departments or outsourced partners? Make sure you have a legitimate reason for passing any data you hold to any third parties.

By taking the time to answer these questions, you’ll be in a strong position to write a privacy notice that truly reflects your business. You don’t need to be a legal expert – just honest, clear, and specific.

What to Include in a GDPR-Compliant Privacy Notice

Once you’ve mapped out how personal data flows through your business, the next step is to put that information into a privacy notice that meets legal requirements.

Under the UK GDPR, there are certain things your privacy notice must include. The aim is to help people understand what’s happening with their data – without having to ask.

Who You Are

Include the name of your business and how people can contact you. If you have a Data Protection Officer (DPO), their details should be included too, although most small businesses are unlikely to need one.

Why You’re Collecting the Data

Be specific about the purposes. For example:

• To send you booking confirmations and reminders
• To manage your subscription preferences
• To process your payment and issue receipts

The Lawful Basis You’re Relying On

Every time you collect or use personal data, you need a lawful reason for doing so. The most common ones for small businesses are:

• Consent (e.g. for email marketing)
• Contract (e.g. taking a booking or order)
• Legal obligation (e.g. tax records)
• Legitimate interests (e.g. basic customer follow-up, where it’s reasonable and expected)

Make sure the basis matches the purpose – and if you’re relying on consent, explain how it can be withdrawn.

Who You Share It With

List any third parties who help you deliver your service and who receive personal data from you. Examples might include:

• Website hosting providers
• Payment processors
• Marketing platforms (e.g. Mailchimp)
• Booking or scheduling tools
• Your accountant or payroll provider

Be transparent, even if these are common tools. If you use a lot of third parties, you don’t need to name them all although you do need to provide categories of suppliers, for example, marketing organisations, IT support companies etc.

Whether You Transfer Data Outside the UK

If you use tools based outside the UK (like many cloud services), explain this clearly and state what safeguards are in place (e.g. standard contract clauses or adequacy decisions).

How Long You Keep the Data

Explain how long you keep personal data, or the criteria you use to decide. For instance:

• We keep customer booking records for 5 years after your last visit.
• Marketing consent is reviewed every 2 years.

People’s Data Rights

You must inform people of their rights, which include:

• Accessing their data
• Correcting inaccurate data
• Asking for their data to be deleted
• Objecting to certain uses (like marketing)
• Withdrawing consent
• Making a complaint

GDPR Complaint Process Changes

As of June 2026, GDPR is changing, which affects complaints. Anyone wishing to complain will be required to make a complaint to your organisation in the first instance, so you should have a process in place for this. From there, if a resolution is not found, the complainant should contact the ICO.

What Happens If Someone Doesn’t Provide Data

If data is necessary for entering into a contract e.g. to process a booking, or comply with a legal obligation, you need to say what the consequence is if it’s not provided.

If You Use Automated Decisions or Profiling

If you’re using any kind of automated decision-making, such as AI or algorithms that profile users, this must be explained, including the potential impact on the individual.

The easiest way to make sure you’ve covered everything? Use our Privacy Notice Checklist, available for free when you sign up to our mailing list. It’s designed specifically for small businesses and helps you avoid common mistakes.

Privacy Notice Templates and Privacy Notice Generators

If you’ve ever searched online for “privacy notice template” or tried using a free generator, you’re not alone. For small businesses, these tools can seem like a helpful shortcut and in some cases, they can be a good starting point.

But here’s the problem: one-size-fits-all privacy notices rarely reflect how your business actually handles data. And under UK GDPR, that can lead to non-compliance, confusion, or a lack of trust.

Common Issues with Templates and Generators

Missing specific details: Templates often leave placeholders or generic language like “we may collect your data”, which tells your customers very little and doesn’t meet GDPR standards.

Ignoring your tools: They typically don’t account for your actual systems – like whether you use Mailchimp, Stripe, or WhatsApp to process personal data.

Outdated legal content: For those in the UK, many templates don’t reflect the latest UK GDPR guidance, especially if they’re based on EU models or older regulations.

False reassurance: Just because a notice looks neat and professional doesn’t mean it’s legally sound. If it doesn’t match your practices, it could be misleading.

When Privacy Notice Templates Can Be Useful

That said, templates and generators aren’t all bad, especially if:

• You’re just starting out and need a framework to build on
• You use them alongside expert advice or a proper checklist
• You actively customise the content based on how your business operates

If you do use a generator, we recommend the ICO’s own privacy notice generator, which is designed specifically for small UK businesses and focuses on compliance from the start.

Still, the safest approach is to treat any template as a draft, and adapt it carefully to reflect your real-world data flows, third-party services, and customer relationships.

Using Our Privacy Notice Checklist

Creating a GDPR-compliant privacy notice doesn’t need to be overwhelming, but it does need to be thorough. That’s why we’ve developed a free Privacy Notice Checklist, designed specifically for small businesses.

It helps you make sure:

• You’ve covered all legal requirements under UK GDPR
• You’ve included the right level of detail for your business
• Nothing important has been missed – like third-party tools or data retention

You can use the checklist whether you’re writing your notice from scratch, adapting a template, or reviewing an existing one.

What’s Inside the Checklist?

• A clear list of what your privacy notice must include, explained in plain English
• Practical prompts to help you think through how your business really handles personal data
• Common pitfalls to watch out for
• Examples of how to describe key information (like lawful basis or data retention)

It’s based on up-to-date legal guidance and draws on our years of experience helping small businesses meet their data protection obligations without unnecessary complexity.

You’ll get the checklist when you sign up to our email list – and we won’t send anything irrelevant or spammy. Just practical advice and tools you can actually use.

Privacy Notice Examples: Why One Size Doesn’t Fit All

No two businesses handle personal data in exactly the same way, and that’s why generic privacy notices often fall short.

To be GDPR-compliant, your privacy notice must reflect the specific data you collect, how you use it, who you share it with, and how long you keep it. That means what’s right for one business might be incomplete or misleading for another.

In the next section, we’ll walk through two example scenarios to show how different types of businesses need to tailor their privacy notices. These examples highlight:

• The types of personal data commonly collected
• Common areas that are often overlooked
• How your services, tools, and legal obligations shape what should go into your notice
• These examples are designed to help you spot gaps in your own privacy notice and understand what needs to be customised.

Scenario 1 – Small Independent Hotel – The Glenbrae Inn

The Glenbrae Inn is a 12-room family-run hotel located in rural Scotland. It offers accommodation, breakfast, and local tours. The hotel takes bookings via its own website and over the phone, and also advertises on booking platforms like Booking.com and Airbnb. (Not a real business.)

Take a look at this example privacy notice for “The Glenbrae Inn”.

Types of Personal Data Collected

• Guest name, email address, phone number, home address
• Payment details (via third-party payment processor)
• Dietary requirements (for breakfast service)
• Passport or ID details (for international guests)
• Vehicle registration (for car park use)
• Booking preferences and history
• IP address and device information (from website analytics)

Where does this privacy notice falls short?

• Uses a generic privacy notice template without adjusting for the Glenbrae’s specific tools or practices, often not completing sections where prompted by the template used.
• Fails to collect the names of other guests staying with the main guest.
• Fails to mention third-party services (e.g. Stripe for payments, Mailchimp for guest communications, Booking.com integrations).
• Includes vague wording around “we may collect data” rather than being specific.
• Omits the dietary information (which may include sensitive health-related data such as allergies) from the privacy notice entirely.
• Does not review or update the privacy notice after changing website providers and analytics tools.
• The notice istelf is outdated, having not been revised since 2024.
• Doesn’t tell guests that they will be added to the marketing list.

Scenario 2 – Mobile Beauty Therapist – Radiance on the Go

Radiance on the Go is a sole trader business run by a qualified beauty therapist who offers at-home treatments such as facials, waxing, and massage across Greater Manchester. Clients book appointments via Instagram DM, WhatsApp, and an online booking tool. The business maintains an email list of around 460 contacts using Mailchimp to share special offers and appointment availability. (Not a real business.)

Take a look at this example privacy notice for “Radiance on the Go”.

Types of Personal Data Collected

• Client name, address, phone number, and email
• Health information (e.g. allergies, pregnancy, skin conditions) to assess treatment suitability
• Appointment history and preferences
• Payment details (via SumUp or PayPal)
• Social media usernames (from bookings via Instagram)
• Email marketing preferences (via website sign-up form or verbal consent)
• Email address storage and marketing activity data (via Mailchimp)

What’s wrong with this privacy notice?

• Uses a free privacy notice template that doesn’t mention health data or explain the lawful basis for collecting it
• Fails to mention Mailchimp as a data processor or explain how marketing preferences are recorded
• Doesn’t inform clients how long their personal or health data will be retained
• Omits key rights such as the ability to withdraw consent or unsubscribe from marketing
• No privacy notice is linked in Instagram bio or booking messages, so users aren’t informed before sharing data
• Doesn’t tell clients that their images will be used for promotional purposes or get consent to do so

How to Use Your Privacy Notice: When and Where to Share It

Writing your privacy notice is only half the job. You also need to make sure it’s actually seen – at the right time and in the right places.

Under UK GDPR, individuals must be informed about how their data will be used at the point of collection, or before their data is collected. If you only publish your notice in the footer of your website and leave it there, that’s not enough.

Where to Display Your Privacy Notice

• On your website – in the footer or on a dedicated page. This is essential.
• On any online forms – include a short notice or a clear link wherever people submit personal information (e.g. contact, booking, newsletter forms).
• During sign-up or registration – if users are creating an account or subscribing to emails, make the privacy notice available before they hit ‘submit’.
• In confirmation emails – link to your privacy notice when confirming orders, appointments, or sign-ups. You could also add it to the signature block of your general emails making sure anyone you’re in contact with will have a link to the notice.
• On printed documents – if you collect data offline (e.g. paper forms), include a short privacy statement or let people know where to find the full notice.

When to Update Your Privacy Notice

Your privacy notice isn’t a one-off task. It should be reviewed:

• When you introduce a new product, service, or data collection method
• When you change service providers (e.g. switch email platforms or booking tools)
• When there’s a legal or regulatory update that affects your processing
• At regular intervals (we suggest reviewing annually at minimum)

Keeping your notice up to date is essential. Outdated information can be just as problematic as missing information.

Need Support Creating a GDPR-Compliant Privacy Notice?

If you’re unsure whether your privacy notice covers everything it should – or you’re starting from scratch – you’re not alone. Many small businesses struggle to get this right, especially when they’re relying on templates or juggling multiple responsibilities.

At Tkm & Associates, we help small businesses and SMEs understand and meet their data protection obligations without unnecessary complexity or legal jargon.

Whether you need help drafting a privacy notice, reviewing an existing one, or mapping out your data practices, we offer:

• Practical data protection support and guidance tailored to your business
• Data protection training options if you’d like to build confidence in-house

You don’t need to be a legal expert to get data protection right – but you do need to be specific, accurate and clear. We can help you get there. Explore our services or get in touch to find out how we can support you. And don’t forget to download our free Privacy Notice Checklist to get started today.