You're a data controller
What counts as personal data
Your key obligations
- Register with the ICO (£40/year)
- Have a privacy policy
- Only collect data you need
- Keep it secure
- Only keep it as long as necessary
- Respond to client data requests within one month
How long should you keep records?
Encryption matters
What about online therapy?
What to do if something goes wrong
A practical GDPR checklist for therapists
- Register with the ICO
- Write a privacy policy and share it with clients
- Use encrypted software for session notes
- Use a counselling agreement that includes GDPR consent
- Set a records retention policy
- Secure your devices (password, encryption, screen lock)
- Have a plan for data breaches
- Respond to client data requests within one month