GDPR for Therapists - What You Actually Need to Know

GDPR sounds intimidating, but for a solo therapist or small practice, the basics are straightforward. You're handling some of the most sensitive personal data there is - your clients' mental health records. Here's what that means in practice, without the legal jargon.

You're a data controller

If you decide what client data to collect and how to use it, you're a data controller under UK GDPR. That's every therapist in private practice. It means you're legally responsible for how client data is handled.

What counts as personal data

Everything you'd expect: names, email addresses, phone numbers, addresses. But also: session notes, assessment results, referral letters, and anything else that identifies or relates to a client. Session notes are "special category data" under GDPR because they relate to health - this means they get extra protection.

Your key obligations

You need to: register with the ICO (£40/year), have a privacy policy, only collect data you actually need, keep it secure, only keep it as long as necessary, and respond to client data requests within one month. You also need a lawful basis for processing data - for therapists this is usually "legitimate interests" or "explicit consent."

How long should you keep records?

Your professional body will have guidance. BACP recommends keeping records for at least 6 years after the last contact (longer for work with children). After that, securely delete or destroy them. Make sure your software lets you manage retention periods.

Encryption matters

GDPR doesn't specifically require encryption, but it does require "appropriate technical measures" to protect personal data. For therapy session notes - which are about as sensitive as data gets - encryption is the appropriate measure. Look for AES-256 encryption, which is the standard used by banks. If your current system stores notes as plain text, that's a risk worth addressing. Read more about why encryption matters for therapists.

What about online therapy?

If you offer video sessions, the same rules apply. Use a platform with end-to-end encryption. Avoid recording sessions unless you have explicit consent and a clear reason. Make sure your video platform has a Data Processing Agreement (DPA) in place.

What to do if something goes wrong

If there's a data breach (lost laptop, hacked account, misdirected email containing client info), you may need to report it to the ICO within 72 hours. Not every incident needs reporting - only those that pose a risk to individuals. Keep a log of all incidents regardless.

A practical GDPR checklist for therapists

  • Register with the ICO
  • Write a privacy policy and share it with clients
  • Use encrypted software for session notes
  • Use a counselling agreement that includes GDPR consent
  • Set a records retention policy
  • Secure your devices (password, encryption, screen lock)
  • Have a plan for data breaches
  • Respond to client data requests within one month

GDPR compliance built in

Bloom is built with GDPR compliance at its core. Encrypted notes, EU-hosted data, ICO registered.

Get started

Related articles

Encrypted Session Notes for Therapists - Why It Matters

Why therapists need encrypted session notes and what to look for. AES-256 encryption explained in plain English for UK private practitioners.

Read more

How to Set Up a Private Therapy Practice in the UK

Step-by-step guide to setting up your private therapy practice in the UK. Covers registration, insurance, GDPR, software, pricing your sessions, and finding clients.

Read more

Software for Counsellors in the UK

Find the best software for counsellors in the UK. Compare features, pricing, and GDPR compliance across the top counselling practice management tools.

Read more