The ICO exists to empower you through information.

This is a new service. Your feedback will help us to improve it - please complete our feedback survey once you've finished with the generator.

Use this tool to create a bespoke privacy notice for your customers or suppliers.

The tool will ask you questions broken down into simple steps, and then generate a privacy notice that you can download (or copy and paste) and add your own branding. You can then share your privacy notice with people outside your organisation.

This tool is for small and medium-sized businesses and charities. It’s not suitable for organisations that:

  • use large amounts of sensitive personal information;
  • carry out automated decision making; or
  • are required to have a data protection officer (DPO).

Before you start

Make sure you have the following information to hand before you create your privacy notice:

☐ A basic understanding of data protection and how it applies to your business

What does this mean?

If you’re new to data protection, we suggest you read our beginner’s guide before using this tool. There are some steps you might need to take before you’re able to get started.

☐ Why you collect and use information

What does this mean?

You need to know why you’re collecting and using people's information. For example, your reasons might be to provide products or services, to receive donations or to provide patient care.

☐ What types of personal information you collect

What does this mean?

Personal information is any information that identifies and relates to a living person.

You need to know the types of personal information you collect and use, such as payment details, health and wellbeing information and account history.

Find more about what is considered personal information.

☐ Why you are allowed to use personal information

What does this mean?

You need to know all the lawful bases you rely on to collect and use personal information. If you haven't decided this, using our interactive tool will help you. You may have a different lawful basis for each of the reasons you use information.

☐ Where you get people’s information from

What does this mean?

You need to know where you collect people's data from, eg directly from the person, from family members, health care providers, education organisations or CCTV.

☐ How long you keep people’s information

What does this mean?

You need to know how long you keep information for, and how you delete or destroy it when you no longer need it. If you don’t have a specific timeframe for how long you keep information, you must tell people how you decide how long you’ll keep their information, eg until a contract ends. Read our guidance on retention for further information.

☐ Which organisations you share information with, and why

What does this mean?

You need to know which organisations you share information with, eg insurance companies, care providers or data processors.

If you share information with data processors (someone you have hired to do something with personal information for you), you need to know why you share the information with them.

☐ If you share personal information overseas

What does this mean?

You need to know if you are sending information to a separate organisation outside the UK.

This could include:

  • sending information outside the UK by email;
  • giving an international organisation access to one of your databases; or
  • storing personal information on an international server.

It also includes your data processor sharing information for you. 

Read more on transferring personal information outside of the UK.

Please note:
Using this tool will help you tell your customers and suppliers how you use their information, but it’s your responsibility to comply with the law by making sure all the information is accurate and complete. You must keep the content up to date.

The privacy notice generator does not cover the use of cookies. Click here to read our cookies guidance.


The information you input will be retained until midnight on the day you submit it. This is necessary so the tool can produce your bespoke privacy notice. The ICO will not access or use this information.