GDPR for Counsellors in Private Practice

All counsellors in private practice should address GDPR – the General Data Protection Regulations.   GDPR came into law in the UK under the Data Protection Act 2018.  Even though it originates from the EU, it still applies after Brexit. It is mandatory for anyone processing data for business purposes.

In your private practice you are the Data Controller.

That means you have to take responsibility for complying with GDPR.

However, don’t be scared by it.  Counsellors know how to protect their clients’ data.  It is, after all, what you do day in and day out.

This guide will help you comply with the law. For simplicity, it is divided into five steps.

GDPR for counsellors in private practice

Photo by h heyerlein on Unsplash

1. Work Out What Data You Need

The first step is to work out the following:

  • What data you collect on your clients (everything from email addresses to medical history)
  • Whether anything is unnecessary and doesn’t need to be collected (when I completed this exercise, I realised I did not need to collect data about a client’s children)
  • What you are doing to keep the data safe
  • How long you need to keep your data
  • Whether you share your data with any third parties – such as accountants or online services such as Google or Dropbox

Identify “special category data”

As part of this process, work out if you are collecting “special category data.” This is data such as:

  • gender identity
  • sexuality
  • medical history
  • ethnicity
  • membership of trade unions or political parties.

Counsellors are likely to be collecting some of this special category data in their assessments or notes. As a result, they should have a written GDPR policy.

2. Decide Your Lawful Basis for Processing

You have to have a legal reason to process data and should pick from the six reasons stated in the GDPR.

For counsellors in private practice, the easiest ones to use are:

  • Contract: you cannot offer your services without holding data such as an email address or telephone number
  • Legal obligation: you need to hold data for legal purposes such as providing tax records
  • Legitimate interest: you need to hold and store data for the purposes of running your practice and protecting your interests

Surprisingly, consent as a lawful base is not recommended for private practice.  Because counsellors are accustomed to gaining consent for storing notes and records it is easy to think this is the lawful basis for processing under GDPR. In fact other lawful bases may be better – such as contract – as consent can be withdrawn.

3. Write a GDPR Data Inventory

This gathers together all the information you have collected. It forms the basis of your privacy policy and privacy statement.  Include the following:

  • Your name if sole trader, or company name, and contact details
  • Where personal data is obtained (e.g., direct from client)
  • The types of data being processed (e.g., email address/date of birth/medication)
  • Whether this includes special category data
  • The purpose for processing (e.g., to contact client, to keep counselling records)
  • The legal basis for processing (e.g., contract)
  • How much data you process (e.g., less than 1,000 clients)
  • The retention period (e.g., five years)
  • Any third party to whom data is transferred and the country of origin
  • How data is protected when transferred

4. Register with the ICO

The ICO is the Information Commissioners Office – the body responsible for overseeing data protection in the UK. (If you are reading this blog from outside the UK, you need to identify the regulatory organization in your own country).

There is always a lot of debate as to whether registering with the ICO is necessary for counsellors in private practice.  A further blog will explain the reasons why most counsellors should register.

You can access a questionnaire to test whether you should register by clicking: here

And if you want to pay the fee immediately, click here

If you’re reading this and feeling overwhelmed, I offer more explanation and training in the Therapy Growth Group.  Ask me for more information.

5. Produce a Privacy Policy and Privacy Notice

GDPR Privacy Policy

As it is likely you will be processing special category data (e.g., medical details), it is necessary to write a Privacy Policy.

You can use the information from your data inventory together with the principles of GDPR. These are standards such as fairness, transparency and accuracy. 

You can read about GDPR principles by clicking on the link: here

The Privacy Policy should contain the following items:

  • How you collect data
  • How you store data
  • How long you keep client records
  • How you will delete data when it is no longer necessary
  • How you will deal with “subject access requests”: when a client wants to know what data you are storing about them
  • How clients can correct data
  • How you will ensure data is up to date
  • What you will do if data is lost, stolen or accidentally deleted

GDPR Privacy Notice

The Privacy Notice is the information you provide to clients about how you handle their information.

You can refer to your privacy notice in your emails, publish it on your website, and include it when contracting with clients.

Your privacy policy and data inventory form the basis of the statement.

It should include:

  • Your identity and contact details
  • The purposes of processing, e.g, to provide services and fulfil legal obligations
  • The legal basis for processing, e.g., the performance of a contract
  • Third party recipients of data, e.g., accountants, HMRC, IT professionals, Supervisor – if you do not use pseudonymisation
  • International transfers (e.g., if you are using Cloud storage such as Dropbox or Google)
  • The period for which personal data is retained
  • The right to subject access requests – how people can request access and correction or deletion of their data
  • The right to lodge a complaint with a supervisory authority (i.e., the ICO)

You can view a sample privacy notice for counsellors by clicking on the link: here

need more help with GDPR?

Wading your way through the regulations and working out what they mean takes time.  I can support you in the process in the Therapy Growth Group.


I have prepared a short course for counsellors as part of the Setting Up in Private Practice module of Therapy Growth Group.  It will help you understand data protection and what you need to do to be compliant.

Contact me for more information.

The information contained above is provided for information purposes only. The contents of this article are not intended to amount to advice and you should not rely on any of the contents of this article. Professional advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.  Josephine  disclaims all liability and responsibility arising from any reliance placed on any of the contents of this article.