GDPR Therapists Questions Answered

GDPR is a very positive step for how all our personal data is held, we will have the right for our data to be deleted and there will be insurance around how information about us is taken, stored and disposed of.

The whole system around how data is kept will become a much more transparent process. For people considering therapy, you will be given precise information on what data will be kept, how long this will be stored and how it will be disposed of.

If people intend to sell on or use third parties, they will have to let you know. Hopefully, this will mean a drop in spam mail for everyone, and we will feel more secure about our personal data.

I am part of a number of social media groups where therapists discuss issues such as GDPR and recently, I collected questions from therapists who wanted answers around GDPR and decided to put some best practices down and collate the answers to the questions in a blog so it can be shared around.


Good practice tips for GDPR

Don’t ask for any personal data you don’t need to complete your contractual and lawful obligations.

Don’t keep data any longer than you need to lawfully or contractually need to. Think if I had to explain why I was holding this data what would I say?

Don’t send data to any third parties that you haven’t vetted for good GDPR practice or haven’t declared in your contract that you will share data with.

Do keep all data – personal and sensitive in secure storage sources paper or electronic.

Do delete data for which you have no contractual or lawful reason to hold. A good practice is to review the data pockets you have on a regular basis and remove anything that is no longer needed.

Do encrypt data where it is sensible and possible to do so.

Finally, apply common sense. If it was my data would I be happy for it to held, used and distributed this way?


If you are struggling with GDPR Compliance and don’t know where to start Pocket Site has put together helpful packs to get you started on the road to compliance  – GDPR Compliance PackGDPR Therapy Agreement , GDPR Supervision Agreement and GDPR Data Processing Agreement.

Update following the UK leaving the EU:

What has really changed with GDPR since the UK left the EU in December 2020 and how does it affect your therapy practice?

First, let’s recap a little on GDPR as a lot of water has flowed under the bridge since 2018.

GDPR came into effect for the UK in May 2018 governing how we manage, protect, collect, process and inform people about the data we hold on them.

GDPR was a mandated requirement from the EU governing body that was signed up to by all member states, including the UK. It was subsequently written into UK law under the updated Data Protection Act 2018.

GDPR sets out 7 key principles around the collection, control and management of data:

  • – Lawfulness, fairness and transparency
  • – Purpose limitation
  • – Data minimisation
  • – Accuracy
  • – Storage limitation
  • – Integrity and confidentiality (security)
  • – Accountability

More details on these principles can be found here as a recap – ICO – GDPR Principles

We left the EU on 31 December 2020.

As of 31 January 2020, the UK implemented a very similar version of the GDPR which is known as UK GDPR, while the GDPR governing the EU will be known as the EU GDPR. This means there is no real change to how you manage your client data under UK GDPR compared to how you did manage it under EU GDPR.

The two regulations are very similar, with certain differences that have been set out in the UK’s Data Protection Act 2018. These are to do with national security, crime and legal proceedings, and other types of special data categories. Reviewing these in the main I see only one difference that is perhaps key for a therapist to be aware of – EU GDPR states that a child can consent to data processing at age 16, whilst the Data Protection Act (DPA) sets this at 13.

The UK government is committed to maintaining the same high standards of data protection and is unlikely to deviate substantially from EU data protection approaches and mechanisms going forward. Indeed the ICO the UK’s independent body set up to uphold information rights remains close to its EU counterparts.

The good news is that currently the processes, policies and procedures you are currently running in your practice will be unchanged by the UK’s exit from the EU if they previously complied with EU GDPR.

Data flowing to and from the EU

Data to the EU from the UK – can flow freely and unrestricted. At this time the UK GDPR recognises the EU data protection as ‘adequate’ in terms of safeguards. This will be reviewed over time but for the moment no restrictions are in place.

Data from the EU to the UK – the EU has agreed to delay any transfer restrictions for four to six months (known as the bridge). This means that data can flow freely from the EEA as before unrestricted for the time being. The EU will make something known as an adequacy decision – a formal decision made by the EU which recognises that another country provides an equivalent level of protection for personal data as the EU does. A draft decision by the EU has stated that it regards the UK data protection standards as ‘adequate’ to its own. This will need to be ratified by the EU member states.

What about cookies and marketing emails?
The Privacy and Electronic Communications Regulations (PECR) sits alongside the Data Protection Act and the UK GDPR. They give people specific privacy rights in relation to electronic communications covering marketing, cookies and electronic communications. They derive from EU law but are set out in UK law. They continue to apply.

The EU is replacing the current e-privacy law with a new e-privacy Regulation (ePR). The new ePR is not yet agreed upon.

Check out this Blog Post – GDPR For Therapists – What’s Changed Since Brexit

Now for the GDPR questions

1. The right to be forgotten – do we have to inform previous clients they have this right? 

No. Deletion is allowed when processing no longer has a lawful basis. As a practitioner, you would need to make this call rather than the client as to the lawful basis for retaining the data. The only circumstance I can see where you might want to contact a client is if your signed contract with the client specifies you’ll keep the data for a number years beyond anything that you are lawfully obliged to do. Otherwise, delete it.

Under Common Law, you are allowed to keep records six years to protect yourselves from – a client claiming breach of contract or personal injury. It’s advisable to update your contract to specify that under Common Law you will keep records for six years and three years after someone turns 18. GDPR will want you to take technical and organisational measures to secure the data as it would class as sensitive data. (Balens confirmed this)

If your holding records longer than this, then I would ask yourself why? Don’t hold data just in case.

Updated: advice in this space is changing timescales vary between 6, 7, 10 years and indefinitely after treatment finishes. Check with your insurers, as they will usually require that client files are kept for a specified period of time for any breach of contract or liability claims. Whichever timescale you go with ensure your privacy information within your contract is updated so the client knows this and why it’s kept.

Balens have updated advice:

“The Statute of Limitations in the UK (i.e. time when an individual is able to bring a claim) is 6 years for certain injury claim situations, or 6 years after the individual reaches the age of majority in the case of minors, hence our policy conditions.  Your records are your best line of defence in any claim situation hence the need to keep the records for at least this long, and there are provisions under the GDPR with regards to keeping records to defend yourself in a claim situation.

Balens then go on to say:

It is likely that our policy wording following GDPR will keep in line with the above, however, we are waiting for further clarification from our Insurance partners regarding this. We will ensure that we write to all clients as soon as we have had confirmation and in good time for them to comply with GDPR.”

Always align your data retention policy with the specific wording in your insurance policy, the last thing you want to do is invalidate your insurance policy by not retaining your records when/if a claim is made.


2. What about email, do we need to use encrypted email?  

Given the sensitive nature of the data that you hold and may need to send in emails, it’s best to have available an encrypted email solution for sending sensitive* personal information. It’s also sensible to password protect attachments as routine. There is a myriad of email solutions on offer. Most of the key ones offer encryption as a default or via an add-on.

Gmail is an encrypted email service. It will warn you if you are sending to a non-encrypted email service. There are extensions to Gmail that offer end to end encryption irrespective of the recipient – FlowCrypt: Encrypt Gmail with PGP is one option, but there are others around.

Office 365, the paid subscription service does offer encryption. It’s a little challenging to set up. Link to article that may help. Setting Up A Secure Message With Digital Signatures

MacMail – this article explains how to encrypt emails for Mac Mail. Encrypting MacMail

If you don’t use any of these, there are other options: Tutanota, Ghostmail, and Protonmail.

Protonmail have put together a useful blog on email compliance –

It’s worth checking if your current email client offers encryption it may not, out of the box, but there may be extensions/add-ons for it. It might involve a little digging.

*Definition under the GDPR of sensitive data: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Updated: if you’re sharing sensitive information via email with a client because it’s easy for the client and for you to manage it this way and encryption of emails is not a route you want to go down (it can get complicated) then another simpler solution is to use password-protected files that you exchange with the client as an attachment.

3. How should I store my data?

GDPR would expect you to have appropriate technical and organisational measures in place to protect data. This could be a cloud-based service, computer external/internal drive or paper-based. You’ll need to consider all 3.

If your store your data in the cloud – check your supplier is aware of GDPR and is compliant with one of these standards – ISO 27001, ISO 27017, or ISO 27018. They are concerned with protecting information. ISO 27001 is the umbrella standard. Google Cloud, AWS and DropBox are OK in this regard.

On top of this, you can also add-on your own security for applications – simple password protection, 2-factor authentication etc.

If using your own external/internal hard drive, it would be sensible to look at encryption of these devices. Or if not possible – password protection of the device and secure in a locked cabinet when not in use.

4. What do I tell my clients?

A client should be informed via your contract what data you will hold, how long you’ll hold it and why, and that it will be held securely. Also if you intend to share data with any third parties and why? If you have a legal/contractual obligation that means you need to share data, explain this and why. Explain the rights the clients have:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • the right not to be subject to automated decision-making

Don’t forget under GDPR clients have a right to access their data so be ready for such requests – read this blog post – Hey, I want to see my data!

 5. What do I need to do on my website?

More than likely your website will be performing two functions lead generation via a contact form and email subscribers for a newsletter. The first step, remove any data fields that you don’t to collect on either your contact form or newsletter sign-up. For a contact form, first name and email address are all that might be needed. Remove any pre-populated tick boxes for auto-sign up for a newsletter.

Check your website doesn’t hold any data associated with the contact form submissions. Some websites create a copy of any email contacts sent to you. If it does, remove these and have a process in place to keep removing them if it can’t be done automatically. Newsletter sign up – enable a double-opt – most email services offer this. It means the user will sign up in a 2 step process – once via the website and again via an email that is sent to them. It will record the consent.

Lastly, your website privacy policy will need updating to reflect the data you collect and what you use it for, who processes it for you – MailChimp, google analytics, etc., and links to their privacy policies.

This is a link to a GDPR Website Privacy Policy (part of a pack on information on GDPR it also includes a Website Cookie Policy. The policy will be relevant for 99% of a therapist’s needs covering the key functions most websites will be performing for a business.

 6. Do I need to document the type of information I hold and who I share it with?

Yes, both your contract and website privacy policy should state this and why. Also, the precaution you take to ensure it’s done securely. For example, for a contract, you might say I keep your personal data in encrypted secure cloud-based storage for six years for legal reasons (can expand here); after this date, your data will be securely deleted. I will share it with these third parties for this purpose only. The purpose could have some legal basis, i.e. legally obliged, or it could be purely marketing based. The client can consent to this or not. Personally, I would use a separate form for getting consent if you intend to use the data for marketing.

7. What do I need to include in my therapy contract for GDPR?

You will need to personalise it to fit with GDPR compliance – so let people know what info you will keep about them, how you will store and dispose of it, and how they can get access if needed. They need to consent to how their information is held. If your struggling in this space, then consider this GDPR Therapy Agreement.

8. How can I send reports safely by e-mail to referral agencies?

Please see the answer to questions about email and encryption. The recommendation would be to send this data encrypted.

9. Is Skype safe for therapy sessions or supervision?

All Skyped video streams are encrypted, so it is safe. The only red flag would do Skype store your login details securely and your clients. Helpful Link – Microsoft Privacy and GDPR. More than likely OK to use.

10. Some solicitors ask for copies of treatment notes, and in the past, I did it as requested by Royal Mail, that is probably not an option anymore, I assume?

The recommendation is to use a registered post for this, i.e. signed for. That way you have a clear chain of custody over the notes that can be evidenced.

11. I’d like to know the best secure email provider to use. I’ve been looking at HUSH mail which is American. Does the server need to be located in the UK to be GDPR compliant?

No, the only area I would check is that Hush themselves are aware of GDPR and can assure you of their compliance. If they are not aware of it, then I would tend to steer clear. The same goes for any suppliers you deal with, check the GDPR position and use it as a basic level of entry to do business with them. You want to operate in a space whereby you are always thinking about how safe is my data or clients’ data.

Regarding the location of the servers, many applications that are household names will store EU data in US. It’s the nature of cloud computing. It wouldn’t necessarily make it prohibitive to use them. It just may involve you satisfying yourself that they understand GDPR and provide evidence of how they comply. Most of the more significant companies stateside are doing this.

12. What about the data I keep on my mobile phone?

As a general rule, remove any details from your phone that you no longer have a business reason to retain. Outside of this ensure there is basic security via a PIN on your phone. Also, if the device was lost, you could remotely erase the device. iPhones have this capability unsure on Android devices.

13. How do I know if a non-EU company is OK to store my data with?

GDPR recognises certain other countries as ‘providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data’ – also known as data adequacy. This includes the following countries – Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. You could, therefore, use businesses within these countries to process data on your behalf. It’s worth also checking the websites of the individual businesses for a GDPR statement – this will cover how they comply with GDPR at a business level.

You can also store data with companies in the US as long as the business is compliant with the EU-US Privacy Shield framework. Most of the big US companies are. If you need to check whether a supplier is compliant with the EU-US Framework, then use this link – Privacy Shield List Check. If the supplier is on the list excellent, also check the supplier website for a GDPR statement as well belt and braces to check the security measures they take, effectively your due diligence.

14. Is Zoom ok to use for video meetings with clients and also my supervisor – I share my screen during meetings with my supervisor and this may include sensitive client information?

Zoom is OK to use as a tool within your practice. The data transmitted during meetings, webinars, chat sessions are encrypted and secure. Zoom is compliant with the EU-US Privacy Shield agreement. They also have a GDPR compliance statement on their website – Zoom GDPR Statement.

If you record sessions on Zoom then the client needs to be aware of this and consent to the recording; your contract would be the best place to cover this along with privacy information. Why you need to record sessions, where you store them and how long you hold the recording for would need to be covered as well. You want explicit, clear consent from your client.

15. How best do I secure paper-based records?

Locked robust filing cabinet housed in a secure room, preferably an alarmed building. An extra step you could take – and this is really your view of the likelihood of data being stolen or lost is to keep separately the client information from the session notes information. So as an example each client is given a unique id and the session notes are marked with the appropriate unique id – in order for anyone to associate the session notes containing sensitive data with an individual they would need to hold both the client information as well. If you keep the two items separate you are effectively reducing the risk of data being lost that can be personally identifiable.

16. What about my emails to clients and potential clients?

For clients, keep emails in line with the timescale you are keeping session notes for. For potential clients that do not go on to contract with you and then delete these within a timescale you are comfortable with that, they won’t come back to you – the only concern is if they provide sensitive information in the email, which I would discourage until they have officially contracted with you. Not always possible but use it as a guide.

17. What is privacy information, privacy notice and privacy policy?

Essentially they are all similar but the terms are often used interchangeably. Privacy information is the details you document in the privacy notice or privacy policy of your website or contract. GDPR specifies what should be included in a privacy notice. You can have privacy information within your contract or as a separate document – just ensure the client clearly understands the contract via signing it. On a website, it’s usually a specific web page that can be easily accessed anywhere on the site and is prominently placed when a website contact form is displayed.

Officially a privacy policy is an internal policy which sets out how a business upholds data subjects privacy rights. A privacy notice is a statutory public document that provides details on how a business upholds a data subjects rights. So simply one is internal and the other external. But the terms are used interchangeably.

Importantly whichever name you choose it should include the following details as a minimum – in simple language:

  • who you are and where you can be contacted – name, address, email, telephone
  • the rights individuals have over the data you hold – see the answer to Question 4. for a list of rights
  • what data is being collected – personal and sensitive data
  • how is it being collected – via sessions
  • why is it being collected and how will it be used – in order to deliver therapy services to you
  • whom will it be shared with and why – supervisor / other third parties
  • how long will the data be held
  • how is the data secured
  • the lawful basis for processing the data – Contractual, consent

18. In my therapy contract with clients, what is my GDPR lawful reason for processing information/data?

This is an area of much debate under GDPR and of the 6 lawful reasons under which you can process data – there are two that are relevant to a therapist – consent and contractual. In GDPR terms – consent cannot be given freely when it’s a pre-condition of service. A client has to consent to have therapy, they cannot decline, and then therapy continues because you need the data to deliver the service. Therefore consent cannot be freely given, contractual works best. However, consent did provide compliance for a therapist holding sensitive data whereas contractual doesn’t provide cover for this on its own. We need to reference your role as a healthcare professional working with safeguards (recognised national accreditation bodies) in order to provide cover for holding and using sensitive data. GDPR has a specific article covering the circumstances under which special data (health details) can be processed, the role of the healthcare professional is one that is recognised. Consent can be used where you are sharing data with a third party and a client can say ‘yes’ or ‘no’ and it won’t necessarily stop therapy. GDPR Therapy Agreement

19. What do I do if a client asks to see the data I hold on them?

This is one of the most commonly made requests of the 8 rights a person has under GDPR – the right of access (all 8 are listed in Question 4.). The GDPR places certain obligations on you in this situation and the best way to handle such requests. It’s interestingly also the area that the ICO receives the most complaints on how the request is managed and dealt with. Don’t fall foul of this and ensure you handle such requests professionally and sensitively – it’s an opportunity to enhance your reputation and provide a great service to your client. Read more here >> Hey, I Want To See My Data

20. How do I know if I’m GDPR compliant?

Ok, so you’ve done all the hard work. You believe that given your understanding and interpretation of GDPR that you’re compliant. BUT how do you know for sure? Remember there is no such thing as being ‘GDPR Compliant’ – there is no formal ratification or certification process. The ICO (GDPR UK governing body) has been clear in its press and media releases that GDPR is more than just a paper-based tick box exercise it’s about people/businesses having an awareness and understanding of their responsibilities around the personal data they collect. It’s a way of thinking, communicating and behaving around data now and in the future.

Having said this the ICO has released a helpful assessment tool that will guide you through any gaps you might have in your business. It’s available here: How well do you comply with data protection law: an assessment for small business owners and sole traders

If the ICO assessment tool highlights areas that need further work and you’re not sure how to address these then feel free to post a comment below and I’ll try to get an answer for you.

Here are 3 further useful articles with details around GDPR:

Do They Mean Me? GDPR – Overview and The Basics

GDPR – What does it all mean? Nuts and Bolts

8 Important Steps To GDPR Happiness

If you are struggling with GDPR Compliance and don’t know where to start Pocket Site has put together helpful packs to get you started on the road to compliance  – GDPR Compliance PackGDPR Therapy Agreement , GDPR Supervision Agreement and GDPR Data Processing Agreement.

If you need further advice on GDPR and how to get your website compliant, contactPocket Site | Get In Touch


Posted in


  1. Janet Thewlis says

    Does GDPR affect current laws about access to children and young peoples records by parents/carers/ professionals and the courts?

  2. Sarah Rees says

    Hi Janet, unsure on the specific context here but from what you’ve said I suspect this would be down to consent. So whoever needs access to your data the client would need to consent to this data sharing. This must be explicit consent to this data sharing unless it is being done under other lawful grounds – ie a legal requirement you are subject to or possibly vital interest (data is shared in order to protect vital interests of the client – usually a medical condition). The client would have a right to be informed of this if possible and may depending on the context have a right to refuse. Hope that answers the query OK.

  3. leah says

    Thank Ms Rees this is very helpful. Generous of you to write and post it-
    Kind regards,

  4. Mo says

    Hi Sarah
    Thank you for your very useful guidance. However, one thing I am not clear about is… I work as an EAP therapist and have been told that, from the 25th May, my handwritten notes will have to be scanned and loaded onto the secure site of the EAP providcer. I realise I would have to obtain the consent of my clients, but what about the ethical considerations of putting sometimes very sensitive and personal information into the hands of a third party?

  5. Sarah Rees says

    Hi, glad you find it helpful. I see how your situation is tricky. I guess for the client to have therapy provided with you through the EAP if that’s their terms of service then the client can either give consent or choose to have therapy through other means. You would need clarification that their system is GDPR compliant and who can access it so the client knows who can see the information. I keep notes very minimal just to guide my therapy and my clients are aware of this. Hope that helps

  6. Barbara says

    Hello Sarah

    Thank you very much for this, we have been given so much conflicting advice all pushing us to Consent as lawful basis, but it is not appropriate.

    I am choosing Legitmate Interest from Article 6 and the one about Health from Article 9. Neither of these require consent. I am wondering what the client is therefore giving their signature for? Would it be to consent to undergo therapy, accepting that their data is processed and their rights are diminished? And which rights are left? I understand that the right to Object is possibly still in place but only in theory, as they have to prove there was no legitimate interest. Right to rectification. Not sure what else.

    If you happen to have an idea, I would be grateful to hear it. Time is almost up and the privacy consent form that we paid for, is of no use, so having to start from scratch.

  7. Sarah Rees says

    Hi Barbara, legitimate interest is possible to use, although personally, I’m using contract working as a healthcare professional. The Therapy Agreement uses contract. I don’t think you need to start from scratch, it may be worthwhile checking you’re using the latest version – an update was issued to version 2. When did you purchase it? The same 8 user rights are still available for a client and included in the agreement but you have a right to deny erasure and objection on the basis the data is needed to comply with your insurance policy and protect yourself from breach of contract. The signing of the form is more a case of ensuring they have read it and understood it, similar to a tick box on a website.

  8. Ann-marie Idiagbonya says

    Hi Sarah,

    Thanks for this information it has been incredibly useful. Along with informing clients and getting their consent to ‘bring them’ to my supervisor. This will be in my contract that they sign. Do I need to them give a third party consent form to sign?

    Many thanks,

  9. Sarah Rees says

    Hi Ann-Marie, if you discuss a client with a supervisor but no information is shared that allows the individual to be identifiable then the agreement is enough. If your sharing information that would allow the client to be identified then I would seek specific consent. The agreement covers you for what is known as anonymised information when discussing clients with your supervisor. Hope this makes sense.

  10. Suzanne says

    Just wanted to say thank you for posting this, as out of all the *many* pages I have been searching on this topic, this has by far been the most helpful and practical for me as a therapist! Greatly appreciated.

  11. Debbie simmons says

    Clinical supervision notes and or line management notes. For a case management or clinical discussion many organisations use a client ID number oulated by a database. In the notes I’m referring to are you able to add client ID where an action may be required to check and review In the next supervision session

  12. james says

    Hi Sarah, thanks for this clear and comprehensive post. I’m a theapist in the UK and wondering if a client has a right, if they request it, for all their notes to be erased and deleted when our work finishes.



  13. Sophie Wood says

    Hi James, clients do have the right for their notes to be erased however they also have 7 years to sue you for damages should they need to for any reason which is why insurance companies advise that notes are kept for 7 years, as legal protection for yourself and your business. Insurance companies are very helpful might be worth giving them a call. You could come to a compromise with a client on having some of the information erased and that you only keep what is necessary but for your protection, it could leave you vulnerable to erase all the note. Hope that helps Sarah

  14. Edel says

    Thank you so much for the information provided above – as noted by someone else in the comments I found this page to have been the best in providing concise and direct answers to questions regarding GDPR. Have you any guidance on a self-employed therapist doing work for a private practice , for example is it the private practice who is considered to ‘own’ the therapy notes for those clients and therefore if the self-employed therapist leaves do the notes remain with the private practice and the responsibility for retention and disposal with the private practice?

Leave a Reply

Your email address will not be published. Required fields are marked *

Sarah Rees

Sarah is a fully accredited Cognitive Behavioural Therapist and mental health writer delivering Modern Mental Health for you and with you in Mind. Sarah is the author of ‘The CBT Journal’ which helps you write for your wellbeing incorporating CBT techniques. For more information and to keep in touch have a look at