How to Write a GDPR Privacy Notice for Your Website
## The short answer
GDPR requires you to tell people, in clear and plain language, what personal data you collect, why, and what rights they have — and the standard place to do that is a privacy notice on your website. It is not optional, and a generic copied template rarely fits, because the notice must accurately describe *your* actual data practices. A good privacy notice is honest, specific, easy to find, and written for ordinary readers rather than lawyers.
Transparency is a core GDPR principle. The privacy notice is the main way you meet it, so it deserves more care than the boilerplate it often becomes.
## What a privacy notice must cover
At minimum, your notice should tell people:
- **Who you are** — your organisation's name and contact details, and a data protection contact if you have one.
- **What data you collect** — the categories, such as contact details, order history, or website usage data.
- **Why you collect it** — the purposes, in concrete terms.
- **Your lawful basis** for each purpose (consent, contract, legitimate interests, and so on).
- **Who you share it with** — categories of recipients such as payment processors, couriers, or email platforms.
- **International transfers** — if data goes outside the UK, and how it is protected.
- **How long you keep it** — your retention periods or the criteria you use.
- **Their rights** — access, rectification, erasure, restriction, portability, objection.
- **How to complain** — including the right to contact the ICO.
- **Whether providing data is required** and what happens if they do not.
## Structure it for humans
A wall of dense legal text technically satisfies the rules but fails the spirit of them. Make the notice usable:
- Use clear headings so people can jump to what they care about.
- Lead each section with a plain-language summary.
- Use a layered approach for complex sites: a short top-level summary linking to fuller detail.
- Keep sentences short and avoid jargon.
- Date it, and note when it was last updated.
If a teenager could read your notice and understand what happens to their data, you are on the right track.
## Be specific, not vague
The most common failing is vagueness. "We may share your data with third parties" tells the reader nothing. Instead, name the *categories*: "We share delivery addresses with our courier so they can deliver your order, and card details with our payment provider to process payments." Specificity is more work but it is what the regulation expects and what builds trust.
Likewise, avoid claiming you collect data you do not, or omitting collection you actually do. The notice must match reality — including any analytics, tracking pixels, or third-party scripts running on your site.
## Cookies and tracking
A privacy notice often sits alongside a cookie policy and consent banner. Where you use non-essential cookies or similar tracking, you generally need consent collected through a banner *before* those cookies fire, and your notice should explain what cookies you use and why. Treat the banner and the notice as a pair, not as one substituting for the other.
## Keep it accurate over time
A privacy notice is a living document. Whenever you add a new tool, start a new type of processing, or change who you share data with, update the notice. A notice that describes how the business operated two years ago is worse than useless — it actively misleads. Schedule a periodic review so it does not drift out of date.
## Make it easy to find
Link to your privacy notice from:
- The footer of every page
- Every form that collects personal data, at the point of collection
- Your checkout and sign-up flows
- Marketing emails
The notice should be reachable in a click from anywhere a person hands over data.
## Where this fits a wider compliance picture
Writing the notice forces you to articulate every data flow in your business, which is why it pairs naturally with a data inventory and a lawful-basis register. Doing it properly is the transparent, design-first approach we take when building enterprise-grade products at neart.ai — describe what you actually do, accurately, and make it legible to the people affected.
## Practical takeaway
Do not start from a template; start from a list of every type of personal data you collect and what you do with it. Write the notice from that list, in plain language, covering the required points above, and link to it everywhere data is collected. Then diarise a review so it stays true. An honest, specific, well-structured notice is both a legal requirement and a quiet signal that your business can be trusted with people's information.