GDPR Compliant Privacy Policy – What you need to include

This post is presented for information purposes only.
The content of this post does not constitute legal advice and should not be relied upon as such.
Consult your legal advisor to understand your rights and obligations in order to comply with any laws and/or regulations.

Do you need a privacy policy on a website? 

Your website’s privacy policy is one of the best ways to communicate some of the key information that you are required to provide to data subjects at the time they provide the data in order to be compliant with data protection laws and regulations including The GDPR.

Do you need a cookies policy on a website?

Your website should inform users that cookies are used, explain what the cookies are used for, and obtain consent from users. This should include a full list of cookies used and explain what data is collected and how it is used. There are a number of approaches to this including using popups alongside a longer cookies policy page on your website.

What should you include in a privacy policy? 

  Some of the key elements that you need to include in your privacy policy are:
  • The purpose of and legal basis for processing  the data including all legitimate interests pursued by the controller
  • The source of the personal data
  • Details of recipients, or categories or recipients, of the data.
  • Any countries that the data is transferred to and what safeguards are in place. These are known as approved transfer mechanisms
  • The period for which the data will be stored or the criteria to that will be used to determine how long the data will be stored for (the retention period)
  • The existence of the rights of data subjects
  • Confirmation of the existence of individual’s right to request access to, and rectification or erasure of, personal data as well as the right to restrict or object to processing concerning the data subject, and the right to data portability.
  • The existence of the right to withdraw consent that has been provided previously.
  • The identity and contact details of the controller (and where applicable, also the controller’s representative)
  • The contact details of the data protection officer (if applicable)
  • Details of the right to complain to the Data Protection Authority
  • Whether data provision is a statutory or contractual requirement or a requirement necessary to enter into a contract including whether the data subject is obliged to provide the personal data and the possible consequences of the failure to provide the data.
  • Details of where the legitimate interest condition has been relied upon
  • The existence of any automated decision making including profiling. Provide information about the logic involved as well as the significance and  consequences of such processing
  • Any additional information that is needed considering the circumstances in which the data is or is to be processed.


  1. I run a one man driving school my website provider has told me i need to pay them £175+ vat for a private policy for this GDPR
    I feel that they are only after more money from me can you please tell me if they are correct or not in asking for this policy money

    1. Hi John

      Thanks for your comment. Whilst I’m not a legal expert, you may well need a privacy policy as part of your plan for GDPR compliance although £175 sounds incredibly cheap if they are writing it for you. Of course a privacy policy is not the only thing you will need to consider and you will only be able to write your privacy policy once you have considered things like where you store your data, hoe you protect your data, and what types of data you process. From an email marketing perspective, you might want to take a look at this post.

      Sorry that this isn’t a definite yes or no. But I’d say £175 is very cost effective if they are doing the job properly.

Leave a Reply

Your email address will not be published. Required fields are marked *