In 2025, transparency continues to be at the heart of effective data protection. A clear and compliant privacy notice is not only a regulatory necessity under the UK and EU GDPR (General Data Protection Regulation), but also a critical element in building trust with your customers and stakeholders.
This updated guide will help your organisation craft a privacy notice that meets current standards, enhances transparency and demonstrates your commitment to data privacy.
What is a GDPR privacy notice?
A GDPR privacy notice is a public-facing document that clearly informs individuals about how an organisation collects, processes and protects their personal data.
Privacy notices help data subjects by clearly explaining how their personal data is collected, used and protected.
There are two reasons for doing this. First, it offers transparency about how personal data is being used, ensuring a level of trust between the organisation and the individual.
Second, it gives individuals more control over how their data is used. If there’s something they aren’t happy with, they can submit a DSAR (data subject access request) or ask the organisation to suspend that processing activity.
Key elements of a GDPR privacy notice
Articles 13 and 14 of the GDPR specify that your privacy notice must include:
Contact details
State your organisation’s name, address, email and phone number.
Provide the contact information for your DPO (data protection officer) or GDPR representative.
Types of personal data processed
Clearly list and describe specific categories of data (e.g. email addresses, account numbers, biometric data).
Specify the source if data is obtained indirectly (third parties, publicly accessible sources, etc.).
For an idea of what this might look like, take a look at our privacy notice template:
Be as specific as possible about the type of information you collect and how you obtained it.
Lawful basis for processing
Clearly state the lawful basis used for each data processing activity (consent, contract, legal obligation, legitimate interests, etc.).
Explicitly describe your legitimate interests or consent mechanisms where applicable.
Remember that there are specific rules for processing special categories of personal data.
Data processing and sharing
Detail any data transfers to third parties, including international transfers and measures taken to secure data (e.g. standard contractual clauses, adequacy decisions).
You might be required to state whether data will be shared with organisations based in third countries.
Data retention periods
Clearly specify how long data will be retained or the criteria used to determine retention periods.
Regular reviews of data retention policies are recommended at least every two years.
Data subject rights
Clearly explain each of the GDPR data subject rights:
- Right to be informed
Organisations must tell individuals what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. - Right of access
Individuals have the right to request a copy of the information that an organisation holds on them. - Right of rectification
Individuals can correct inaccurate or incomplete data. - Right to be forgotten
In certain circumstances, individuals can ask organisations to erase any personal data stored on them. - Right of portability
In some circumstances, individuals can request that an organisation transfers their personal data to another company. - Right to restrict processing
In some circumstances, individuals can request that an organisation limits its use of personal data. - Right to object
Individuals have the right to challenge certain types of processing, such as direct marketing. - Rights related to automated decision making, including profiling
In most circumstances, individuals have the right to object to activities where automatic decisions are made based on their personal data.
Create your own privacy notice with our template
You can find everything you need to create a GDPR-compliant privacy policy with our template.
Our template privacy notice includes annotations to ensure you meet the GDPR’s requirements.
This GDPR template, created by data protection experts, helps you quickly create a privacy notice that meets the Regulation’s requirements.
Is a privacy notice the same as a privacy policy?
It’s essential not to confuse a privacy notice with a privacy policy.
A privacy notice is a public-facing document intended for data subjects, detailing how their personal data is processed.
By contrast, a privacy policy is an internal document outlining the organisation’s GDPR compliance practices and obligations.
When should you provide a GDPR privacy notice?
Privacy notices should be provided at the point of data collection. Exceptions include when:
- The individual already has the information.
- Providing the notice requires disproportionate effort.
- Legal obligations dictate confidentiality.
If obtaining personal data indirectly, ensure a privacy notice is provided within one month or upon initial communication with the data subject.
How to write a clear and accessible privacy notice
Your privacy notice must be clear, concise and written in straightforward language. Consider these guidelines:
- Avoid complex legal jargon and vague terms such as ‘may’, ‘often’ or ‘some’.
- Use plain, simple language and the active voice.
- Provide special clarity when explaining complex topics, especially if processing children’s data.
- Ensure your privacy notice is easily accessible – clearly linked on your website or provided directly to individuals.
Best practices for privacy notices in 2025
To ensure your privacy notice meets the latest compliance standards, adopt these best practices:
- Regularly update your privacy notice to reflect any changes in your processing activities or data protection regulations.
- Make your privacy notice available at every data collection point.
- Consider layered notices or privacy dashboards to enhance transparency.
Simplify your compliance with our GDPR Documentation Toolkit
Looking for more advice on GDPR compliance? You can find all the documentation you need with our GDPR Documentation Toolkit.
Accelerate your data privacy compliance project with more than 50 customisable, GDPR- and DPA 2018-compliant documentation templates.
Meet your data protection obligations with expert guidance and implementation tools developed by lawyers and data privacy experts, including:
- Risk treatment plan
- DPIA (data protection impact assessment) Tool and procedure
- Data breach and incident response procedures
- Remote working documentation
Use the link below to download sample documents and see the toolkit’s full contents list.
A version of this blog was originally published in November 2018.
The post How to Write a GDPR Data Privacy Notice – Updated Guide and Template for 2025 appeared first on IT Governance Blog.