Privacy policies and GDPR compliance for small sites

Why privacy policies matter

Privacy policies are legally required in many places, including the UK and EU. They also build trust by being transparent about how you handle personal data.

For small sites, privacy policies do not need to be complex. They need to be clear, accurate, and cover what you actually do.

What GDPR requires

Legal basis

Under UK GDPR, you need a legal basis for processing personal data.

• Consent: When users actively agree to data processing.
• Legitimate interests: When processing is necessary for your business operations.
• Contract: When processing is needed to fulfil a contract.
• Legal obligation: When you must process data to comply with law.

Transparency

You must be transparent about what data you collect and why.

• Explain what personal data you collect.
• Explain why you collect it and how you use it.
• Explain who you share it with.
• Explain how long you keep it.

User rights

Users have rights over their personal data.

• Right to access their data.
• Right to correct inaccurate data.
• Right to delete data in certain circumstances.
• Right to object to processing in certain circumstances.
• Right to data portability where applicable.

What to include in your privacy policy

Who you are

Identify yourself as the data controller.

• Your business or organisation name.
• Contact information.
• How people can contact you about data protection.

What data you collect

List the types of personal data you collect.

• Data from contact forms, such as name and email.
• Technical data, such as IP addresses from server logs.
• Analytics data, if you use analytics tools.
• Any other personal data you collect.

Why you collect it

Explain the purpose for collecting each type of data.

• To respond to enquiries.
• To provide services.
• To improve your website.
• To prevent spam and abuse.

Legal basis

Explain the legal basis for processing each type of data.

• Consent for form submissions.
• Legitimate interests for website operation and security.
• Contract for providing services.

Who you share data with

Be transparent about third parties who process data.

• Hosting providers.
• Email delivery services.
• Analytics providers.
• Any other service providers.

How long you keep data

Explain your data retention policy.

• How long you keep enquiry data.
• How long you keep client data.
• How long you keep technical logs.

User rights

Explain how users can exercise their rights.

• How to request access to their data.
• How to request corrections.
• How to request deletion.
• How to object to processing.

Security

Explain the security measures you take.

• Use of HTTPS.
• Secure hosting.
• Basic security practices.

Cookies and tracking

Cookie policy

If you use cookies, explain what they are and why you use them.

• List the types of cookies you use.
• Explain what each cookie does.
• Explain how long cookies last.
• Explain how users can manage cookies.

Analytics and tracking

Be transparent about any analytics or tracking you use.

• What analytics tools you use.
• What data they collect.
• Whether they use cookies.
• How users can opt out if possible.

Keeping it simple

Write in plain language

Privacy policies should be understandable.

• Use clear, simple language.
• Avoid legal jargon where possible.
• Use short sentences and paragraphs.
• Organise information with clear headings.

Be accurate

Only include what you actually do.

• Do not copy generic templates without customising them.
• Review your policy regularly and update it when things change.
• Remove sections that do not apply to your site.

Make it easy to find

Put your privacy policy where people can find it.

• Link to it from your footer on every page.
• Link to it from forms that collect personal data.
• Make the link label clear, such as Privacy policy.

Common mistakes

• Copying a generic template without customising it.
• Including sections that do not apply to your site.
• Not updating the policy when you change what you do.
• Hiding the policy or making it hard to find.
• Using overly complex language.
• Not explaining how users can exercise their rights.

When you need more help

Consider professional advice for complex situations.

• If you process large amounts of personal data.
• If you process sensitive personal data.
• If you operate in multiple countries with different laws.
• If you are unsure about legal requirements.

Regular review

Review and update your privacy policy regularly.

• Review it when you add new features or services.
• Review it when you change how you process data.
• Review it at least annually.
• Update the last updated date when you make changes.

Accessibility

Make your privacy policy accessible [1]Source 1 .

• Use proper heading structure.
• Write in clear, simple language.
• Ensure it works with screen readers.
• Make it readable at different zoom levels.

Next step

Review your current privacy policy, or create one if you do not have one. Ensure it accurately describes what data you collect and why. Write it in plain language that people can understand. Make it easy to find from your footer and forms. Review it regularly and update it when things change. Keep it simple and accurate, covering what you actually do rather than what you think you should say. If you need help creating or reviewing your privacy policy, get in touch to discuss your needs. For help with cookie consent, see cookie banners without breaking UX or accessibility.