Knowledge hub · Small organisations
How to write a privacy policy that does not backfire
Privacy policies do not win anyone over by being long. They earn trust when they are honest, specific, and match what the organisation actually does every day. For small organisations in the UK that is the whole game.
Why small organisations struggle with privacy policies
Most small organisations start with a template. It might come from a website builder, a large supplier, or something copied from another site. Those templates are usually written for big companies, heavy tracking, and complicated systems.
When you paste that wording into your site without editing, it quietly creates risk. If your policy says you do something, regulators and complainants will assume you really do it. If you do not, the policy becomes evidence against you.
Start from the reality of your data
Before you touch any wording, make a short list of what actually happens in your organisation:
- Where personal data first arrives, for example web forms, email, phone notes, paper sign in sheets.
- Where it is stored, for example inboxes, shared drives, case management tools.
- Who has access as part of their job, including contractors.
- How long data tends to sit in each place before it is deleted or archived.
- Which external services you use that see personal data, for example newsletter tools or ticket systems.
That list is your real privacy policy. The written policy on the website should describe that reality in readable language.
What a small organisation actually needs to cover
A solid privacy policy for a small organisation answers five questions clearly and in order:
- What data do you collect.
- Why do you collect it.
- Where do you store it and which services you use.
- Who can see it and under what circumstances.
- How long you keep it and what happens when it is no longer needed.
Once those are clear you can briefly signpost people to their rights under UK GDPR and how to raise a concern. Anything beyond that should only be included if it is true in your organisation today, not an ambition for later.
A structure that works for UK SMEs and charities
You can adapt this structure for most small organisations without turning it into a legal epic:
1. Who we are
2. The data we collect
3. How and why we use your data
4. Who can see your data
5. Where your data is stored
6. How long we keep your data
7. Your rights under data protection law
8. How to contact us or raise a concern
Each section should be a short set of paragraphs, not a full novel. The test is simple. Could a reasonable person read the policy once and explain back what you actually do.
Common mistakes that cause trouble later
1. Mentioning tools you do not use
Many templates list analytics, remarketing, profiling, or automated decision making by default. If your organisation does not use them, delete those sections completely. Leaving them in encourages people to assume you run silent tracking or complex scoring in the background.
Your policy should name only the tools you actually use. If you later switch vendors, schedule a quick review so the policy, cookie banner, and real setup stay in sync.
2. Promising things you cannot enforce
A classic example is a statement like “we automatically delete emails after 30 days.” If there is no process or system enforcing that behaviour the line is dangerous. In a complaint, an ombudsman or regulator will treat that sentence as a promise you failed to keep.
It is safer to describe what you can reliably deliver, for example “we review and clear down shared inboxes regularly and remove messages that are no longer needed.” That still shows intent without claiming automation that does not exist.
3. Turning the policy into a law textbook
Some policies spend three pages rewriting UK GDPR before they mention what the organisation actually does. Visitors do not need that. They need to know how you handle their details.
Keep the law section tight. A couple of paragraphs on people’s rights, a link to the Information Commissioner’s Office, and clear contact details for concerns are usually enough.
4. Hiding behind vague phrases
Phrases like “we may use your data to improve our services” sound safe but say nothing. If you cannot explain in one sentence what “improve” means, either clarify it or remove it.
Better wording might be “we review anonymised enquiry trends to understand which services are most in demand” or “we use basic website analytics to see which pages people visit most.” Specific beats vague every time.
5. Forgetting about offline data
Policies often talk only about websites and online forms, while most of the sensitive material sits in case notes, spreadsheets, or paper files. Your policy should cover both online and offline data if you work with people directly.
What to write if you are not sure
When you are uncertain, lean toward simple and honest rather than clever wording. For many small organisations the core message looks something like:
We only collect the information you choose to send us, for example through our contact form, email, or phone calls.
We use this information to deal with your enquiry, provide services, or meet our legal obligations.
We do not sell your personal data. We do not share it with other organisations for marketing.
We keep your data only as long as we need it for the reason it was collected or as required by law.You can then add short sections explaining any extra tools you genuinely use, for example a mailing list provider, donation platform, or ticketing system, instead of pasting in long generic paragraphs.
Aligning policy, practice, and governance
A privacy policy is not only a public statement. It is also a checklist for your own governance. Once you have a draft you are happy with, check that:
- Staff know where to find the policy and understand the main points that relate to their role.
- Your data handling matches what the policy claims, especially around retention and sharing.
- Suppliers that see personal data are covered by basic contracts or terms you have actually read.
- There is at least one named person who will respond to subject access requests and complaints.
When those pieces are in place, the policy stops being a dusty page and becomes part of how you run the organisation.
In plain English
- Your privacy policy should describe reality, not aspiration or template leftovers.
- Specific, honest wording reduces GDPR risk more than any amount of boilerplate.
- Most small organisations only need a short, well structured policy kept aligned with day to day practice.
If this has raised questions about your wider setup, you can also read about domain strategy and website mistakes that quietly hurt small organisations.