How to Write a GDPR-Compliant Privacy Policy (Without Hiring a Lawyer)
Write a privacy policy that satisfies GDPR and POPIA requirements without expensive legal fees. What to include, how to structure it, and common mistakes to avoid.
Most privacy policies fail on the basics
A privacy policy copied from another website, filled with legal boilerplate, and last updated four years ago is not GDPR compliant. Data protection law requires your privacy notice to be written in clear, plain language that an ordinary person can understand. Legalese does not satisfy this requirement.
The sections every privacy policy must include
1. Who you are and how to contact you
State your business name, registered address, and contact details. Name your Information Officer (required under POPIA) or Data Protection Officer (required for some under GDPR) and provide a contact email for privacy matters.
2. What personal data you collect
List categories specifically: "We collect your name, email address, telephone number, business name, and invoicing address when you become a client." Also mention data collected automatically — analytics, cookies, IP addresses.
3. Why you collect it and your lawful basis
For each purpose, state what the data is used for and your lawful basis. Example: client contract management — lawful basis: contract; marketing emails to existing clients — lawful basis: legitimate interests; newsletter subscriptions — lawful basis: consent; accounting records — lawful basis: legal obligation.
4. How long you keep data
Be specific — "as long as necessary" does not satisfy GDPR. Example: client financial records: 5 years after last transaction (SARS) or 6 years (HMRC); marketing and contact data: deleted 12 months after last interaction or on request.
5. Who you share data with
List categories of recipients: CRM provider, email platform, accounting software, payment processor. Disclose any data sharing outside South Africa or the EU/UK and explain safeguards.
6. Individual rights
Explain all applicable rights and how to exercise them. Provide a dedicated email for privacy requests. Make it easy — this is the point of the section.
7. Right to complain
State that people can complain to the Information Regulator (inforegulator.org.za) in South Africa, the ICO (ico.org.uk) in the UK, or their national DPA in the EU.
8. Cookies
If your website uses cookies, explain which you use, what they do, and how users can control them.
Common mistakes to avoid
- Copying someone else's policy — it may not reflect your actual practices
- Writing in legal jargon — GDPR requires plain language
- Not updating it when your practices change
- Listing consent as the lawful basis for everything — incorrect and creates obligations you may not meet
- Forgetting B2B data — employee contact details at client companies are still personal data
Do you need a lawyer?
For most small businesses with straightforward processing, no. Where legal advice is worthwhile: if you process sensitive data (health, financial, biometric), operate in regulated sectors, or regularly transfer data across borders.