Build Emotional Resilience- The guide direct to your inbox - Let's keep In Touch > > > >

GDPR for Therapists – What’s Changed Post-Brexit?

General Data Protection Regulation or GDPR was a mandated requirement from the EU governing body. All member states signed up, including the UK, and it was subsequently written into UK law under the updated Data Protection Act 2018. EU GDPR is obviously an EU Regulation. I’m sure I don’t need to tell you that the UK left the EU on 31 December 2020. So, what’s changed and how does this affect therapists in private practice?

First, a quick recap…

What is Personal Data?

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations

GDPR sets out 7 key principles around the collection, control and management of data:

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality (security)

7. Accountability

More details on these principles can be found here.


As of 31 January 2020, the UK implemented a very similar version of GDPR. This is known as UK GDPR, while the GDPR governing the EU is known as EU GDPR. The good news is, the processes, policies and procedures you are currently running in your practice are unchanged by the UK’s exit from the EU if they previously complied with EU GDPR.

Although the two regulations are very similar, there are certain differences that have been set out in the UK Data Protection Act 2018. These are to do with national security, crime and legal proceedings, and other types of special data categories. Reviewing these in the main I see only one difference that is perhaps key for therapists to be aware of. EU GDPR states that a child can consent to data processing at age 16, while the Data Protection Act (DPA) sets this at 13.

The UK government is committed to maintaining the same high standards of data protection and is unlikely to deviate substantially from EU data protection approaches and mechanisms going forward.

Data Flowing To and From the EU

Data to the EU from the UK – At this time, the UK GDPR recognises the EU data protection as ‘adequate’ in terms of safeguards. This will be reviewed over time but for the moment there are no restrictions in place so data can flow freely.

Data from the EU to the UK –The EU has agreed to delay any transfer restrictions for four to six months (known as the bridge). This means that data can flow freely for the time being. The EU will make something known as an ‘adequacy decision’ – a formal decision made by the EU which recognises that another country provides an equivalent level of protection for personal data as the EU does. A draft decision by the EU has stated that it regards the UK data protection standards as ‘adequate’ to its own. This will need to be ratified by the EU member states.

What About Cookies, Marketing Emails & Medical Records?

The Privacy and Electronic Communications Regulations (PECR) sits alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications covering marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They continue to apply.

The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed upon.

If you keep medical records you need to be registered with the ICO

What is the ICO’s Role Now?

The Information Commissioners Office or ICO remains the independent supervisory body regarding the UK’s data protection legislation. They have some good resources to support you in keeping up to date with GDPR here.

Help, I’m Still Confused!

If you are struggling with GDPR compliance and don’t know where to start, Pocket Site has put together some helpful packs to get you started. We also put together a comprehensive blog post answering more therapist questions check it out here GDPR Therapist Questions Answered

Sign Up Here!

Please wait...

Thank you for signing up!

I will look after your details and keep them secure.  Privacy Policy.

Fancy receiving a weekly delivery of mindset mail?

Each Friday I send something useful for you to practice, learn, download or listen to.

By signing up in your first email you will receive

  • The free downloadable guide to "Building Emotional Resilience"
  • Regular deliveries of mindset mail
  • Keep up to date with what is trending in the world of mental health

I will keep your information safe and secure. I will not share your information. Please see my Privacy Policy for full details.

Posted in

Leave a Reply

Your email address will not be published.

Sarah Rees

Sarah is a fully accredited Cognitive Behavioural Therapist and mental health writer delivering Modern Mental Health for you and with you in Mind. Sarah is the author of ‘The CBT Journal’ which helps you write for your wellbeing incorporating CBT techniques. For more information and to keep in touch have a look at