GDPR is one of those subjects that makes most therapists’ eyes glaze over. The legislation is dense, the guidance is written for corporate data teams, and the practical implications for a sole practitioner seeing twelve clients a week can feel impossibly unclear. The result is that many therapists either ignore it entirely or over-comply in ways that create unnecessary work without actually protecting anyone.

This guide cuts through the noise. It covers what UK GDPR actually requires of you as a therapist in private practice, what the real risks are, and what you can do – in practical terms – to get your data protection house in order without turning it into a second career.

This guide covers UK GDPR as it applies to therapists and counsellors in private practice. It is not legal advice. If you have a specific data protection concern, consult a solicitor or the ICO directly.

Why GDPR Matters More for Therapists Than Most Professions

Therapists process some of the most sensitive personal data that exists. Under UK GDPR, information about a person’s mental health is classified as “special category data” – the highest tier of protection. This is not the same as a retailer holding your email address. Your session notes, risk assessments, clinical formulations, and even the fact that someone is your client at all are all special category data.

This does not mean the rules are impossible to follow. It means you need to take them seriously, because the data you hold could cause real harm if it were lost, accessed by the wrong person, or handled carelessly. GDPR, at its core, is simply a framework for making sure that does not happen.

1. Register with the ICO

If you process personal data electronically – which includes keeping client records on a computer, sending emails to clients, or using any kind of practice management software – you almost certainly need to pay the ICO data protection fee. For most sole practitioners, this is £40 per year. It is a legal requirement, not optional.

Registration is straightforward and can be done online at ico.org.uk. You receive a registration number, which you should include in your privacy notice. The ICO maintains a public register, so clients or professional bodies can verify your registration if needed.

There is a narrow exemption for practitioners who only keep paper records with no electronic processing at all, but in practice this applies to very few therapists in 2026. If you use email, a phone, a laptop, or any digital tool in connection with your practice, you need to register.

2. Identify Your Lawful Basis for Processing

Under UK GDPR, you need a lawful basis for processing personal data. For therapists, this is where most of the confusion lives, because there are several options and the right one depends on the type of data and the context.

For general personal data (name, contact details, appointment times), the most appropriate lawful basis is usually “legitimate interests” – you need this information to run your practice and provide the service the client has engaged you for. Contract performance can also apply where you have a written therapeutic agreement.

For special category data (session notes, clinical assessments, anything relating to mental or physical health), you need an additional condition under Article 9. For most therapists in private practice, the relevant condition is “explicit consent” – the client has clearly and specifically agreed to you processing their health data for the purpose of providing therapy.

A common misconception is that consent covers everything. It does not. Consent is your Article 9 condition for processing special category data. Your Article 6 lawful basis for general processing may be legitimate interests or contract performance. You need both layers to be in place.

The practical implication is that your intake process should include a clear consent mechanism – not buried in a long form, but a specific, informed agreement that the client understands what data you will hold, why, and how it will be used.

3. Write a Privacy Notice That Actually Makes Sense

UK GDPR requires you to provide clients with a privacy notice explaining how you handle their data. Many therapists either do not have one, or have one copied from a corporate template that is full of jargon and largely irrelevant to therapy practice.

Your privacy notice should be written in plain English and cover the essentials: who you are and how to contact you, what personal data you collect and why, your lawful basis for processing, who you might share data with (and why), how long you keep records, the client’s rights regarding their data, and how to complain to the ICO if they are unhappy.

  • Keep it short. Two to three pages is plenty for a sole practitioner. If your privacy notice is longer than your therapeutic contract, something has gone wrong.
  • Be specific to your practice. Generic phrases like “we may share your data with third parties for business purposes” are meaningless. State exactly who might receive data and in what circumstances – your supervisor, your insurer in the event of a complaint, emergency services if there is a safeguarding concern.
  • Make it accessible. Give it to clients at the start of therapy, include it on your website, and reference it in your contract. A privacy notice that nobody reads achieves nothing.
  • Review it annually. If you change your software, your supervision arrangements, or your working practices, your privacy notice should reflect that.

How My-Therapy-Suite helps: My-Therapy-Suite includes customisable privacy notice templates written specifically for therapy practice. You can issue your privacy notice digitally through the client portal, track which clients have received and acknowledged it, and update it centrally when anything changes.

4. Manage Client Records Properly

How you create, store, and eventually dispose of client records is at the heart of your GDPR obligations. This is where the practical day-to-day work lives.

Storage and Security

Client records must be stored securely, with access limited to those who need it – which in a sole practice means you and nobody else. If you use electronic records, this means encrypted storage, password protection, and ideally two-factor authentication on any system that holds client data.

The ICO does not prescribe specific technical measures, but it does expect you to take “appropriate” steps given the sensitivity of the data. For therapists, the bar is high because the data is special category. In practical terms, this means you should not be keeping session notes in an unencrypted Word document on your desktop, emailing clinical information via a standard Gmail account, storing records in a personal Dropbox or Google Drive without appropriate security settings, or leaving a laptop containing client data unattended and unlocked.

Cloud-based practice management software with proper encryption and UK-based servers is generally regarded as a more secure option than local storage, because it removes the risk of a lost or stolen device being your single point of failure.

Retention and Deletion

UK GDPR requires that you do not keep personal data for longer than necessary. For therapists, this means having a clear data retention policy and actually following it.

There is no single mandated retention period for therapy records, but common guidance suggests retaining adult client records for seven years after the last contact, and records for clients seen as children until the client turns twenty-five or for seven years after last contact, whichever is longer. Your professional body and insurer may have their own recommendations, so check these and adopt the longest applicable period.

When the retention period expires, records must be securely deleted. For electronic records, this means permanent deletion, not just moving files to the recycle bin. For paper records, it means cross-cut shredding or a confidential waste service. Document your deletion process and keep a log of what was destroyed and when.

How My-Therapy-Suite helps: My-Therapy-Suite stores all client data on UK-based servers with encryption at rest and in transit. The platform tracks retention periods automatically and alerts you when records are approaching their deletion date, so you do not have to maintain a manual spreadsheet or rely on memory.

5. Understand Client Rights

Under UK GDPR, your clients have specific rights regarding their personal data. You do not need to memorise every detail, but you do need to know the key ones and have a process for handling them.

  • Right of access (Subject Access Request): Clients can request a copy of all the personal data you hold about them. You must respond within one month. This includes session notes, assessments, correspondence, and any other records. You can redact information about third parties (for example, details a partner disclosed in a couples session) but you cannot withhold your own clinical notes simply because they are sensitive.
  • Right to rectification: If a client believes the factual data you hold about them is inaccurate, they can ask you to correct it. This applies to factual errors (a wrong date of birth, misspelled name), not to your clinical opinions or formulations.
  • Right to erasure: Clients can request that you delete their data. However, this right is not absolute. You can refuse if you have a legal obligation to retain the records, a legitimate interest that overrides the request, or if the data is needed for the establishment or defence of legal claims. In practice, most therapists retain records for the standard retention period regardless of an erasure request, and this is generally considered reasonable.
  • Right to restrict processing: A client can ask you to stop using their data in certain ways while a dispute is resolved, though this is rare in therapy contexts.

The most common request therapists receive is a subject access request. If you receive one, do not panic. Acknowledge it promptly, gather the relevant records, redact third-party information where necessary, and provide the response within the one-month deadline. If you need more time, you can extend by a further two months, but you must inform the client within the first month.

6. Know What to Do If Something Goes Wrong

A data breach is any incident where personal data is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed without authorisation. For therapists, common examples include sending an email containing client information to the wrong person, losing an unencrypted device that holds client records, a software system being hacked or compromised, or accidentally leaving client notes visible in a shared space.

Not every breach needs to be reported to the ICO. The threshold is whether the breach is likely to result in a risk to the rights and freedoms of the individuals affected. Given that therapy records are special category data, the bar for reporting is lower than it would be for less sensitive information. If in doubt, report it.

If a breach does meet the reporting threshold, you must notify the ICO within 72 hours of becoming aware of it. You must also notify the affected individuals if the breach is likely to result in a high risk to them. The ICO’s website has a self-assessment tool and a breach reporting form that walk you through the process.

Document every breach, even ones you do not report to the ICO. Keep a simple breach log recording what happened, when, what data was affected, what you did about it, and your reasoning for whether or not you reported it. The ICO can ask to see this log.

How My-Therapy-Suite helps: Because all data is held within a single encrypted platform rather than scattered across emails, local files, and third-party tools, the attack surface is significantly reduced. Built-in access controls and audit trails also mean that if something does go wrong, you have a clear record of what was accessed and when.

7. Supervision, Referrals, and Data Sharing

Therapists routinely share client information in certain contexts – most commonly supervision, but also referrals, safeguarding disclosures, and insurance or EAP reporting. Each of these needs to be handled with care under UK GDPR.

For supervision, best practice is to anonymise client data wherever possible. Use initials or pseudonyms, remove identifying details, and share only what is clinically necessary. If you need to share identifiable information with your supervisor (for example, in a safeguarding situation), this should be covered in your privacy notice and, ideally, in your therapeutic contract. Your supervisor should also have their own appropriate data protection arrangements in place.

For referrals, obtain the client’s explicit consent before sharing any information with a third party, unless there is a safeguarding concern that overrides this. Document the consent and what was shared. The same applies to sharing information with a client’s GP, which some therapists do routinely but which still requires client agreement unless there is an immediate risk.

For EAP or insurance-funded work, you are typically required to submit session summaries or outcome data. Your contract with the EAP should specify what data is shared, and the client should be informed of this at the outset. Do not share more than the contract requires.

A Practical GDPR Checklist

If you have read this far and are unsure where to start, here is a pragmatic list of the actions that will have the greatest impact on your compliance position.

  • Register with the ICO and pay the annual data protection fee.
  • Write (or update) a privacy notice specific to your practice and issue it to all current clients.
  • Review your consent process to ensure clients are giving explicit, informed consent to the processing of their health data.
  • Audit where you store client data. Consolidate records into a single, secure, encrypted system. Eliminate unencrypted local files, personal email accounts, and consumer cloud storage.
  • Set a data retention policy and diarise review dates for records that are approaching their retention limit.
  • Prepare a simple process for handling subject access requests, including a template response letter.
  • Create a breach log and keep it even if you have never had a breach.
  • Review your supervision and referral arrangements to ensure data sharing is covered in your privacy notice and contracts.
  • Put a reminder in your calendar to review all of the above once a year.

Final Thoughts

GDPR compliance is not about perfection. The ICO is not looking to penalise sole practitioners who are making a genuine effort to protect their clients’ data. What they do expect is that you have thought about it, taken reasonable steps, and can demonstrate what those steps are if asked.

For most therapists, getting compliant is a weekend’s work. Staying compliant is a matter of good habits: using secure tools, reviewing your policies annually, and being thoughtful about how you handle data day to day.

My-Therapy-Suite is built around these requirements – UK-hosted, encrypted, with privacy notices, consent tracking, retention management, and audit trails built in. It does not make you compliant by itself (no software can), but it removes most of the technical friction so you can focus on the clinical and administrative habits that matter.