GDPR self-assessment for private practice

Twelve questions to check how your practice handles client data, with plain-English fixes for the gaps.

  1. 1.Are you registered with the ICO and paying the data protection fee?

  2. 2.Do you have a written privacy notice you give clients before or at the first session?

  3. 3.Do you know your lawful basis for holding client data, and the special-category condition for health data?

  4. 4.Are your session notes stored encrypted, or locked away if on paper?

  5. 5.Are your notes and client contact details kept in separate places, or separable?

  6. 6.Do you have a stated retention period, and do you actually delete records when it passes?

  7. 7.Do you know what you would do in the first 72 hours after a data breach?

  8. 8.Could you answer a subject access request within one month, including knowing what you could withhold?

  9. 9.Do you have a plan for your client records if you suddenly could not practise?

  10. 10.Is your email and messaging with clients reasonably secure, and do clients know the risks of the channels they choose?

  11. 11.For each third-party tool you use (calendar, notes, video, billing), do you know where it stores data, and do you have a data processing agreement with it?

  12. 12.Do you avoid taking identifiable client data outside the UK or EEA without safeguards?

Where you stand

Everything in this assessment follows from one fact: as a private practitioner, you are the data controller for your client records. The tools you use, Bloom included, are processors acting on your instructions. Decisions about what is collected, how long it is kept and who sees it are yours, and they cannot be outsourced, only supported.

The question that catches most therapists is the third one. GDPR training aimed at other industries pushes consent as the default lawful basis, but consent is usually wrong for therapy records: it can be withdrawn at any moment, and your insurer expects notes to exist whether or not the client still agrees. Contract or legitimate interests, paired with the Article 9 health and social care condition, is the arrangement that actually fits the work.

The good news is that the ICO’s expectations of a solo practice are proportionate. Registration costs £52 a year (2026), a privacy notice fits on one page, and a retention habit is a diary reminder. The gaps that matter most, encryption and a breach plan, cost time rather than money.

Question 11 tends to produce the longest list. Every tool that touches client data, the calendar, the notes app, the video platform, the invoicing spreadsheet, is a processor you are responsible for. Consolidating that patchwork into fewer systems shrinks the list of data processing agreements you need to keep track of, which is a data protection argument as much as a convenience one.

One honest limit: answering yes twelve times does not make you compliant, and this page is not legal advice. It is a structured way to notice gaps, with the authoritative source linked wherever one exists. For anything contested, the ICO’s guidance and your professional body’s GDPR resources are the places to check.

Frequently asked questions

Bloom keeps notes, documents, payments and your diary in one system under one data processing agreement, which makes question 11 a much shorter exercise. You stay the data controller; Bloom is one processor instead of five.