A privacy policy is a legal requirement under UK GDPR for any organisation that collects or processes personal data. It must be written in clear, plain language.

• UK GDPR replaced EU GDPR in the UK following Brexit (via UK GDPR + DPA 2018)
• Must be provided at the point of data collection — not buried in small print
• ICO can fine up to £17.5 million or 4% of global annual turnover
• Must identify the Data Controller and how to contact them
• Must state the lawful basis for each category of processing
• Data subjects have 8 rights: access, rectification, erasure, portability, and more
• PECR additionally regulates cookie consent and electronic marketing
• ICO registration required for most data controllers (annual fee)

Legal reference: UK General Data Protection Regulation (UK GDPR); Data Protection Act 2018; PECR (Privacy and Electronic Communications Regulations)