Build Emotional Resilience- The guide direct to your inbox - Let's keep In Touch > > > >

How to Keep Your Private Practice GDPR Compliant

You might think you’ve nailed GDPR, but did you know keeping your private practice compliant is an ongoing process? Despite the admin involved, GDPR has been a very positive step. We all have much more control over how our personal data is held. We have the right for it to be deleted and there are insurances around how information about us is taken, stored and disposed of. The whole system has become much more transparent.

Hang on, what’s personal data?

Personal data is any information that can be used to identify a living person, including names, delivery details, IP addresses, or HR data such as payroll details. Most organisations use personal data in their daily operations.

Here’s what’s expected of you…

The Information Comissioner’s Office {ICO} states you are required to have a level of security that is ‘appropriate’ to the risks presented by your data processing. This reflects both the UK’s risk-based approach to GDPR, and the fact there is no ‘one size fits all’ solution to information security. It means that what’s ‘appropriate’ for you will depend on your own circumstances, the processing you’re doing, and the risks it presents to your organisation.

Annual GDPR Audit

It’s a good idea to perform an internal GDPR audit at least once a year. Once you get into the swing of conducting an annual audit, it shouldn’t take longer than an hour. Pick a time that’s quiet for your practice and set a reminder in your calendar. On completion, make a note of any action that’s taking place as a result. This demonstrates you’re working to maintain GDPR compliance and will be useful if you’re ever asked to provide evidence. Here are a few things your audit should cover:

Are you still registered with the ICO?

This is a requirement if you are in private practice. Check your information is up to date, that your debit card has not expired, and you have paid your annual subscription

If there were changes to GDPR, would you be aware of them?

It’s your responsibility to stay up to date with the latest guidance. There were some changes when we left the EU and there’s more to come. As part of maintaining compliance, you should regularly check the ‘What’s New’ section on the ICO website. Another way to stay informed is to sign up for weekly emails with Pocket Site where we share any updates as they occur.

How are you holding data?

You should have an up-to-date list of all the places you hold data. This might include online platforms, paper notes and mobile phones. The platforms where you hold and process data are likely to evolve over time, so you should also check they are maintaining their compliance.

One of the principles of GDPR is that you keep the minimal amount of data required. If you do not need information you are holding, it needs to be removed. Clear out your mobile phone of old numbers and delete old emails regularly. Make sure your medical notes are shredded confidentially after seven years {it’s also worth checking the timescale requirement hasn’t changed}.

Is your security up to date?

You must ensure you have appropriate security measures in place to protect the personal data you hold from being accidentally or deliberately compromised. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals. In some extreme cases, lives may even be endangered. Here are a few suggestions to get you started:

– Is your website still secure?

– Is the privacy policy on your website up to date and reviewed regularly?

– How are you taking payments? Have any security measures changed here?

– Do you have anyone working in your business? Is there a data processing agreement in place?

Have you checked your therapy agreements?

Review the contracts you have with your clients, supervisees and supervisors. Ensure there is precise information on what data will be kept, how long this will be stored for and how it will be disposed of.

GDPR Compliance Pack for Therapists

If you need further support keeping your private practice GDPR compliant, you can download Pocket Site’s GDPR Compliance Pack for Therapists. It contains everything you need including a compliance checklist, the ‘Getting Started with GDPR’ E-Book and a range of templates and explainers to use within your business.

Links worth clicking

Sign up for weekly emails from Pocket Site

GDPR Compliance Pack for Therapists

Does your practice need a data processing agreement?

ICO – Whats new

GDPR Whats Changed Since BREXIT?


Sign Up Here!

Please wait...

Thank you for signing up!

I will look after your details and keep them secure.  Privacy Policy.

Fancy receiving a weekly delivery of mindset mail?

Each Friday I send something useful for you to practice, learn, download or listen to.

By signing up in your first email you will receive

  • The free downloadable guide to "Building Emotional Resilience"
  • Regular deliveries of mindset mail
  • Keep up to date with what is trending in the world of mental health

I will keep your information safe and secure. I will not share your information. Please see my Privacy Policy for full details.

Posted in

Leave a Reply

Your email address will not be published.

Sarah Rees

Sarah is a fully accredited Cognitive Behavioural Therapist and mental health writer delivering Modern Mental Health for you and with you in Mind. Sarah is the author of ‘The CBT Journal’ which helps you write for your wellbeing incorporating CBT techniques. For more information and to keep in touch have a look at