Skip to content
360 Cyber Compliance

Data protection · 1 July 2026

Privacy notices explained: what to include and why they matter

Transparency is a core principle of UK GDPR: people have the right to know how their personal data is used. A privacy notice is how you meet that obligation. This guide explains what a good privacy notice contains and how to write one people can actually understand.

What a privacy notice is

A privacy notice (sometimes called a privacy policy or fair processing notice) is the information you give people about how you collect and use their personal data. It’s the practical expression of the UK GDPR principle of transparency — telling people, in advance and in plain language, what happens to their data.

You may need more than one notice for different audiences — for example, one for service users and families, and another for staff and job applicants — because the way you use their data differs.

What UK GDPR says it must contain

UK GDPR sets out specific information you must provide. A complete privacy notice covers:

ElementWhat to explain
Who you areYour organisation’s identity and contact details
DPO detailsContact details for your Data Protection Officer, if you have one
PurposesWhat you use the data for
Lawful basisYour UK GDPR basis, plus any special-category condition
RecipientsWho you share the data with
RetentionHow long you keep the data
Individual rightsPeople’s rights, including access, correction and erasure
Right to complainThat they can complain to the ICO
Source of dataWhere you obtained it, if not from the person directly
Transfers abroadAny transfers outside the UK and the safeguards

Much of this information comes straight from your Record of Processing Activities (RoPA), which is why the RoPA is such a useful foundation.

Writing it so people understand

A privacy notice only works if people can understand it. UK GDPR requires the information to be concise, transparent, intelligible and easily accessible, using clear and plain language. To achieve that:

  • Avoid legal jargon and long, dense paragraphs
  • Use headings, short sections and everyday words
  • Consider a layered approach — a short summary that links to fuller detail
  • Tailor the tone to the audience

Special care in health and social care settings

In a care setting, your audience may include people who are unwell, elderly or living with cognitive impairment, as well as their families and representatives. A privacy notice that’s technically complete but impenetrable doesn’t meet the transparency standard.

Consider providing information in accessible formats — easy-read versions, large print, or a verbal explanation — so that people genuinely understand how their information is used. This connects to your wider obligations in our UK GDPR in healthcare guide.

When and how to provide it

Timing matters. You should provide the privacy notice:

  • At the point you collect data directly from someone (for example, at the start of a service or during recruitment)
  • Within a reasonable period if you obtain data from another source — and at the latest within one month

Make it easy to find: on your website, in welcome packs, on forms, and wherever you collect data.

Keeping it accurate

A privacy notice must reflect what you actually do. Review it whenever your processing changes — a new system, a new supplier, or a new purpose — and at least once a year. An out-of-date notice is worse than none, because it misleads people about how their data is used. If any terms are unfamiliar, our glossary can help.

The layered approach in practice

For anything but the simplest processing, a layered privacy notice is usually the best solution. The idea is to lead with a short, readable summary covering the essentials — who you are, what you do with data, and where to find out more — and then link or point to a fuller notice with the complete detail. This respects people’s time while still meeting the legal requirement to provide all the mandated information. In a care setting, the top layer might be a friendly paragraph in a welcome pack, with the full notice available on request or on your website.

A common confusion is treating a privacy notice as a consent form. They serve different purposes. A privacy notice informs people about your processing, whatever your lawful basis; consent is one of the six lawful bases and involves asking permission. Most care processing relies on bases other than consent — legal obligation, vital interests or public task — so your privacy notice will typically explain those bases rather than seek agreement. Keeping the two ideas separate avoids the trap of asking for consent you don’t need and can’t easily withdraw.

Common mistakes

  • Copying a generic template that doesn’t match what you actually do
  • Writing in dense legal language nobody reads
  • Forgetting a separate notice for staff and applicants
  • Never updating it when processing changes
  • Omitting the right to complain to the ICO
  • Confusing a privacy notice with a consent form

How we can help

A clear, accurate privacy notice is a straightforward thing to get right with the correct information to hand. We offer a clear, fixed-fee engagement that produces privacy notices tailored to your organisation and audiences, drawn directly from your processing records, in language your service users and staff can understand. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.

Need help in practice? See our Data Protection & UK GDPR service.

Need a hand with this?

Book a free, no-obligation readiness check.