GDPR privacy policy guide for UK and EU businesses with a US LLC

Privacy Policy Explained: What UK & EU Businesses Must Include

A practical guide to GDPR-compliant privacy policies — what data protection law requires, why it matters for your business, and the most common mistakes to avoid.

Published March 2026 • 6 minute read

If your website is accessible to visitors in the UK or European Union — even if your company is based in the United States — you are required to have a Privacy Policy that meets the standards set by UK GDPR, the Data Protection Act 2018, and EU GDPR (Regulation 2016/679). This is one of the most fundamental legal requirements for any website collecting personal data.

For US-based businesses like GFIS LLC that serve UK and EU customers, these obligations apply regardless of where the business is incorporated. GDPR has extra-territorial reach: if you collect or process personal data belonging to EU or UK residents, GDPR applies to you.

This guide explains exactly what your Privacy Policy must contain, why it matters, and what happens if you get it wrong.

What Is a Privacy Policy and Why Is It Required?

A Privacy Policy is a legal document that tells your website visitors and customers what personal data you collect about them, why you collect it, what legal basis you rely on to process it, who you share it with, how long you keep it, and what rights they have over their data.

Under Articles 13 and 14 of EU GDPR (mirrored in UK GDPR), data controllers are legally required to provide this information to data subjects at the point of collection. A Privacy Policy is the primary mechanism for doing this.

This is not optional. Operating a website that collects personal data — even just an email address via a contact form — without a compliant Privacy Policy is a breach of data protection law.

The Legal Framework: UK GDPR vs EU GDPR

After Brexit, the UK operates under UK GDPR (retained from EU GDPR and supplemented by the Data Protection Act 2018). For most practical purposes the requirements are nearly identical, but penalties and enforcement authorities differ.

EU GDPR is enforced by the local data protection authority in the relevant EU member state. Penalties can reach €20 million or 4% of global annual turnover — whichever is higher.

UK GDPR is enforced by the UK's Information Commissioner's Office (ICO). Maximum fines are £17.5 million or 4% of global annual revenue.

If you serve both UK and EU customers, your Privacy Policy must address both frameworks. A single policy can cover both, provided it is sufficiently comprehensive.

What Your Privacy Policy Must Include

A GDPR-compliant Privacy Policy must be written in clear, plain language. Documents that ordinary people cannot understand do not meet the standard. The following elements are all mandatory.

1. Identity and contact details of the data controller: Who is responsible for the data? This must include the company name, registered address, and a contact email address. If you are outside the EU and processing EU resident data, you may also need to appoint an EU representative.

2. What personal data you collect: Be specific. "Name and email address" is better than "personal information." If you collect IP addresses, payment data, or behavioural data via cookies, you must say so explicitly.

3. The purpose of processing: For each type of data, explain why you collect it. Providing a service, improving the website, and sending marketing emails are all different purposes and must each be stated separately.

4. The lawful basis for processing: This is perhaps the most important element. You must identify which of the six lawful bases under Article 6 GDPR applies to each processing activity:

  • Consent — the individual has given clear, freely given, specific, informed consent
  • Contract performance — processing is necessary to fulfil a contract with the individual
  • Legal obligation — processing is required by law
  • Vital interests — necessary to protect someone's life
  • Public task — carrying out a task in the public interest
  • Legitimate interests — processing is in your legitimate interests and not overridden by the individual's rights

You cannot process data without a documented lawful basis. Vague statements such as "we collect data to improve our service" are insufficient without identifying the specific legal ground.

5. How long you retain data: You must state specific retention periods or the criteria used to determine them. Keeping data indefinitely without a defined retention schedule is not GDPR compliant.

6. Who you share data with: List categories of recipients — payment processors, email platforms, cloud storage providers, analytics tools, government agencies. If data is shared with third parties outside the UK or EU, explain the transfer safeguards in place (such as Standard Contractual Clauses).

7. Individual rights: You must clearly explain the rights available to data subjects and how they can exercise them:

  • Right of access — to receive a copy of their data (Subject Access Request)
  • Right to rectification — to correct inaccurate data
  • Right to erasure — the "right to be forgotten"
  • Right to restriction of processing — to limit how their data is used
  • Right to data portability — to receive their data in a machine-readable format
  • Right to object — to processing based on legitimate interests or for direct marketing
  • Rights related to automated decision-making — to challenge decisions made without human involvement

You must also state how quickly you will respond. Under GDPR, the standard response window is 30 days from the date of the request.

8. Right to complain to a supervisory authority: In the UK, this is the Information Commissioner's Office (ico.org.uk). In the EU, it is the data protection authority in the individual's member state. You must include this information even if you believe your processing is fully compliant.

Data Breaches: What You Must Do

Under GDPR, if you experience a personal data breach that is likely to result in a risk to individuals' rights and freedoms, you must notify the relevant supervisory authority within 72 hours of becoming aware of it. This is a tight window that requires having an incident response procedure in place before a breach occurs.

Your Privacy Policy should acknowledge this obligation. If a breach is likely to result in a high risk to individuals, you must also notify the affected individuals directly without undue delay.

International Transfers: The US Issue

For US-based businesses receiving data from UK or EU visitors, international data transfer rules are particularly important. Personal data transfers from the UK or EU to the US must be covered by an appropriate safeguard — such as Standard Contractual Clauses (SCCs), Binding Corporate Rules, or the UK-US Data Bridge (for UK-to-US transfers). Your Privacy Policy must explain which mechanism you rely on and how individuals can obtain a copy of the relevant safeguards.

US businesses that receive enquiries through contact forms or collect email addresses from UK or EU visitors are making an international data transfer every time that data lands on a US server. This is not a technicality — it is a substantive compliance obligation.

Common Mistakes to Avoid

The following are among the most frequent Privacy Policy failures identified by data protection authorities during audits and investigations:

  • Vague or generic language that does not accurately reflect actual data practices
  • Missing lawful basis for one or more processing activities
  • No retention periods — stating that data is kept "as long as necessary" without specifying what that means
  • No mention of cookies and tracking — these should be addressed in a separate Cookie Policy with a link from the Privacy Policy
  • Not updating the policy when data practices or third-party tools change
  • Using an unmodified template designed for a different business model or jurisdiction
  • No international transfer mechanism stated for US-based businesses serving UK or EU visitors

Our Privacy Policy

You can read the Wyoming LLC UK Privacy Policy at privacy-policy.html. It covers all the elements described in this article and has been drafted to comply with both UK GDPR and EU GDPR.

If you have questions about how we handle your data, or if you wish to exercise your data subject rights, contact us at our contact page.

Need Help Setting Up Your US LLC?

We help UK and European founders form US companies remotely. All packages include the formation documents and compliance support you need to get started — including guidance on the data protection obligations that apply when your US LLC handles data from UK and EU customers.

Wyoming LLC Formation Service

US Enrolled Agent

US Banking Documents Checklist

View Pricing