The ICO exists to empower you through information.

We’ve written this short guide with the needs of small- to medium-sized enterprises (SMEs) in mind, including small businesses and sole traders. It would also be helpful for small clubs and other groups.

Before you begin to write your privacy notice (sometimes known as a privacy policy), you’ll need to have several key pieces of information to hand:

  • your full contact details;
  • the types of personal data you collect;
  • where you got people’s data from, if it wasn’t from them;
  • why you have people’s information and what you’re doing with it;
  • your lawful basis and your legitimate interests where relevant;
  • who you share people’s information with; and
  • how long you hold people’s information for before getting rid of it securely.

You’ll need to be able to explain these points in writing in a way that’s easy for people to understand. You’ll also need to decide your lawful bases before you start using people’s data. Our handy lawful basis checker will help you.

Your privacy notice needs to include people’s information rights, including the right to withdraw consent, where that’s your lawful basis. Also tell people how they can complain if they’ve got concerns about the way you’re using their information.

We’re here to help. Use our handy privacy notice generator to make your own privacy notice.

It’s important to be open and use simple language so that people – including children, if you’re using children’s data – know exactly where they stand.