Small Business GDPR Policy Template

Laws about privacy that require businesses to have privacy policies, apply to businesses of all sizes. Therefore, as a small business, you are just as responsible for any data breaches, or wrong ways you handle data, as a billion-dollar multinational corporation is. Additionally, you surely have customers, with whom you correspond. Hence, the people you deal with have names and email addresses and as a result you are processing personal data and you need to have a Privacy Policy.

This article will outline how to create a privacy policy and post one.


Small Business GDPR Policy Template 

Our GDPR Compliance Software for the SME, will allow you to Generate a privacy policy for your small business site. Follow these few easy steps: 


1. Select your industry sector

Small Business GDPR Policy Template-1

2. Confirm your business processes

Small Business GDPR Policy Template-2

3. Generate your Privacy Policies

Small Business GDPR Policy Template-3

4. Our updates keep you in the green

Small Business GDPR Privacy Policy Template-1


Small business GDPR Policy Template


Small business GDPR Policy Template – drafting a GDPR Policy template for your company is a complex task, therefore consider using our GDPR compliance software, to make it easier. In a few easy steps get your GDPR Privacy Policy template ready to implement on your site. 

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your small business. 


Why do you need a Privacy Policy for your Small Business?

Even small businesses need a Privacy Policy because of a number of reasons:

(1) Privacy Policies are required by law and as a result protect you from liability and (2) they allow you to inform your customers, suppliers and staff on how you use their personal information.

Therefore, by law, you have to have a privacy policy.

Moreover, if your customers have to give you personal information in order to buy your product or service, you are required by law to post a Privacy Policy on your website or have one at your office or storefront.

Personally identifiable information is a general term for any information that can be used to find, contact, or identify a person. It includes the following, but is not limited to them:

  • Full names
  • Dates of birth
  • Physical addresses
  • Any type of national identification number
  • IP addresses
  • Telephone number
  • Screen names or handles
  • Email address
  • Credit card numbers

Protection from Liability Through a Privacy Policy

You must handle data in a way that’s in line with privacy and local laws. Hence, this means you need to implement the right internal processes, procedures and policies so your firm ensures the privacy and security of personal data. Furthermore, do know that, if a customer thinks that you are not safeguarding his privacy in a way that is compliant with the laws he  or she can easily lodge a formal complaint with local authorities. Furthermore, those authorities are forced to investigate the issue. So, you could be liable, or at least have to fight the claim in court, which could be expensive and take a lot of time.

Small businesses have the most to lose when they fail to live up to their customers’ expectations on privacy given they often rely on a smaller, more regional customer base.

A Privacy Policy explains how you will handle information and informs them what they can and can’t do. Visitors to your website can subsequently take an informed decision on whether or not they want to do business with you. At the same time, a customer is less likely to have a case against you when they have agreed to your Privacy Policy. Therefore, they, as a result give you permission to process their personal data in line with the statements in your privacy policy.

How to Create a Privacy Policy for Your Small Business

Adding the following basic clauses to your Privacy Policy will help you follow current privacy laws. In addition to writing a Privacy Policy that follows the rules, you must also make it available to your customers, and make sure they agree to its terms.

Required Clauses in a Privacy Policy:

When writing your full small business GDPR Policy template, start with these important parts.

Identification of your firm and its role

Every Privacy Policy should start with outlining who the company is that is processing the data and in what capacity / role it is doing so.

What kind of information you gather

Here is where you will tell customers exactly what information you collect and why. 

Thus, the what part is pretty straightforward e.g. their names, addresses, email addresses, and payment information. 

The why part often needs some reflection and some expert input. GDPR requires you to describe the business purpose to any data processing and ensure you have documented legal basis for it. Check out our knowledge base for more information on this topic.

Hence, in this part, it is better to be too specific than to be vague. Also, do note that GDPR requires you to keep the language and structure simple so it is easily understood. The best way to explain to customers what kind of information you need and want from them is to keep things simple.

How Data is gathered

You should document how you collect information in the same clause as the types of information you collect, or you can put it in its own clause.

Therefore, this clause will change based on what kind of business you have. Just be sure to tell people how you get their information, whether it’s from them, or a third party..

Information You Share or Disclose

Most companies share, or pass on, some information as  part of their business operations. For example, businesses pass on invoices with customer names on there, to their bookkeeper. Businesses also use all sorts of Cloud or SAAS tools to help them run their business. For example, a Cloud CRM tool, to help them manage their customers data and sales process. Given the cloud or SAAS tool is owned not by the firm but by a third party the data is wholly or partly shared with that third party. 

Therefore, make sure you inform your users which third parties you use, so they can make an informed decision around the effect on their privacy. 

Your customers have rights

Certainly, GDPR has ensured that consumers now have right when it comes to their data. One of these rights is to be able to see and change their personal information. In your small business GDPR Policy template, you must not only tell customers about their rights but also explain how they enact those rights.

Measures to protect and secure data

Customers need to be reassured on how you keep their information safe. You don’t have to go into too much detail, as that could provide information to potential hackers, but you should outline the general steps you take to keep things safe.

Make sure that what you say you’re doing to keep data safe, is what you’re actually doing.

Opt-out Procedures

Many countries have laws restricting unsolicited email or spam. Therefore, you have to give customers the chance to opt out of these communications. If you don’t, you could be held civilly responsible and have to pay fines.

Also, it’s just a nice thing to do. Also, if a customer bought something from you once and doesn’t want to hear from you again, giving them a way to say so helps your goodwill. You might think of promotions as a way to make money, but being nice to customers also helps you get ahead in your market.

Also, your Privacy Policy should explain how to stop getting spam or promotions if you don’t want to. Give customers a phone number or email address they can use to get in touch with you, if they don’t want to hear from you.

Changes/Updates to the policy and notification about those changes

As laws and your privacy practises change, it is likely that you will need to change your Privacy Policy. Write this right down in your Privacy Policy so that you don’t catch customers by surprise.

Henceforth, having to give notice of changes is helpful. You can do this by sending them an email, using banner ads, or putting an announcement at the top of your Privacy Policy.

Accessible Privacy Policy 

Additionally, your policy on privacy must always be easy to find. One common way to do this is to link to your Privacy Policy at least in the website’s footer.

You can also put a link to your Policy on pages where people sign up, check out, sign up for emails, and in other places where personal information is collected.


Summary of what to include in a Small Business Privacy Policy template 


Small businesses have more to lose if their data is breached, or if customer misunderstandings appear. A well-written Privacy Policy is a good way to start protecting the personal information of your customers, and will help you protect information better.

Keep these four aspects in mind when you write your Privacy Policy:

  • Don’t ask for more details than you need. Do not ask for a customer’s date of birth if you do not need it to help them. Less personal information means less work to keep safe and keep track of it.
  • Keep it brief. Nowadays, people are getting smarter about the information they give to companies, and how it is used. If you write a Privacy Policy that is unclear or more complicated than it needs to be, they will be suspicious and less likely to do business with you.
  • Make it fit your business. Different kinds of information are gathered by a fitness centre and an accounting firm. Make sure your small business GDPR Policy template fits your business, and the information you collect.
  • Implement good information practices. A Privacy Policy gives you a good base and helps you build stronger relationships with your customers. However, this will not help you at all if you don’t protect your systems from viruses, and make sure they are secure.


Our GDPR compliance software for SMEs can generate any document required by the GDPR regulation:

Your Privacy Policy that you should put on your website, Privacy Policy for your employees that should be in a separate file, a Data Sharing Agreement and a GDPR Register.