GDPR is upon us

Don’t bury your head in the sand


What is this GDPR that everyone is stressing about?

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). These new EU data protection regulations come into force on 25th May 2018 covering all businesses, from multinationals to sole traders. This includes complementary therapists, many of whom work alone or within a clinic.

Unless you have been stranded on a desert island in recent months you can’t fail to have seen the panic and despair spreading across the business community as they realise that every business that processes personal data (and that’s just about every business!) has to comply. You may have come across some of the numerous scare-mongering emails flying about or felt pressurised by the hard-sell from the multitude of data protection legal firms plying their wares! Forums and chat rooms have been full of negativity, fear, anxiety and confusion. It’s as though everyone is in meltdown not knowing what to do.

To some extent they are not wrong – the challenges it presents are real and daunting. It is time-consuming, it can be confusing as not one rule fits all but it’s not all bad….in fact if you take a moment to consider it – it can only be a good thing…..

The GDPR is a positive framework which will benefit us all, by protecting our personal data.  It’s right that as businesses we act responsibly in the way we treat information we’re entrusted with and that we can be held accountable if something goes wrong. GDPR ensures that businesses are able to demonstrate a greater respect for personal privacy and rights of the individual.

Let’s consider it from your clients’ perspective. When clients give you their personal information, they expect you to keep it securely and use it appropriately. The new legislation gives the clients (your customers) new rights which they should be very happy about.

  • Your clients will have the right to access any of their information, including notes and expect to be able to read them and understand what they mean without expert medical knowledge. This will ensure that any profiling that is undertaken using their personal information is fair, appropriate, statistically valid and transparent. It will also encourage therapists to take care with their consultations and record keeping.
  • Clients will have the right to correct any information which will cut down on errors or if a client wishes to have their data deleted they now have the right to do so. They can also prevent further use (or processing) of their information.
  • They will know how their personal information is being used and can expect their therapist to take appropriate measures to protect their data. They will be notified if critical information about them was inappropriately accessed.
  • Your clients will have the right to know if their personal information has been forwarded to a third-party and that their personal information is not being transferred outside of the EU.

GDPR compliance will not only give your clients peace of mind but it will encourage all of us to treat people exactly as we would like to be treated and not abuse the information they give us.

New legislation is long overdue as existing date protection legislation was adopted nearly 20 years ago before Google and smart phones even existed! The world has really moved on since then but unfortunately so has the problem of data privacy.

Incidents of hacking and identity theft are constantly on the rise, and GDPR is a positive move in making this more and more difficult for cyber criminals to achieve. It will force the bad companies to comply and respect our privacy and should reduce the amount of spam mail we receive on a daily basis.

So yes things are changing, and rather than see it all as a hindrance, we should see it as a good step forward to protect the data we collect and as a bonus an opportunity to carry out a spring clean of our records and data-protection related policies.

This is why I believe GDPR is a positive development and should be embraced

So where do we go from here?


So how do you eat the GDPR elephant?

One bite at a time.


The GDPR is similar to the Data Protection Act (DPA) and so long as you already comply with that, the effect on your business may be minimal. However, there are some changes that you may need to make to how you deal with personal information.


Simple Steps to follow – take it slowly – stay calm and measured


  1. Awareness and Understanding

Start from recognising the benefits and embracing the reasons for the new legislation. It is a lot of extra work for most, but the benefits are that this legislation will help to protect us all and those following on.

Familiarise yourself with the legislation; but try not to get too bogged down at this stage. You (and anyone else in your business) must read and understand how the law is changing and what it means for your business. Once you are aware of the rules start to think how you will apply them to your business bearing in mind you are holding sensitive healthcare information about your clients. Think about each of your client’s rights and this way as it should make it easier to you to put it into perspective. Much of it is common sense and you probably do it anyway.

  1. Information gathering – Audit and Review

Don’t be put off by the term ‘audit’. Preparing for the GDPR means you need to get a grip on your data – you may be surprised by what you discover! The GDPR requires you to document this. By doing so, it will be easier to comply with the requirements of the GDRP including the accountability principle. Document all the personal data you hold, where it came from and who you share it with, such as client lists, mailing lists, consultation forms etc. Keep personal data only where it is necessary and securely dispose of or delete any which is out of date or is no longer required. Hold regular reviews of files and discard unnecessary or obsolete ones.  Examine all your current consultation forms and other correspondence to ensure that any privacy notices comply with the new regulations. 

  1. Lawful basis

You are only allowed to hold and process personal information if you have a lawful basis to do so. You should document what lawful basis you’re using to justify holding and processing personal information. This will help you comply with the accountability requirements imposed by GDPR. 

  1. Rights and Access

Be open with clients about the information you hold on them. Ensure your procedures comply with their rights as set down in the new regulations. Any clients can request a copy of information you hold about them. This is known as a subject access request. Under GDPR you have 30 days in which to comply with a request from someone for a copy of the personal information that you hold on them.

  1. Consent and Disclosure

You must obtain consent wherever possible before acquiring, holding or using personal data. This must be on an opt-in basis. You cannot assume consent. Any forms (paper or web-based) designed to gather personal data should contain a statement explaining what the information is to be used for and who it may be disclosed to. Review how you seek, record and manage consent and assess whether you need to make any changes. If existing consents do not meet the new GDPR standard, refresh them. Please note when seeking consent, the client must check a box to opt in, not uncheck one to opt out. Do not reveal personal data to third parties without the consent of the individual concerned.

Be aware that there is data and then there is sensitive personal data (i.e. relating to race, political opinion, physical or mental health, religious belief, sexuality, etc). It is wise to hold and use such information only where strictly necessary. You must always obtain the consent of the individual and notify them of the likely use(s) of such data.

Update your terms and conditions, privacy notice and client contracts to include this information and have it available for clients to review.  If you have a website, this is the perfect place to publish it and you can refer people to it.

Storage and Breaches

Protecting your data is essential in the modern world and getting up to the GDPR standard is only going to help your business All personal data must be stored securely. That means password protection for online records and lockable filing cabinets for paper ones. Do not leave records containing personal data unattended in areas accessible to the public and ensure that personal data is not displayed on computers screens visible to passers-by.  It helps if you get into the habit of keeping data secure – this is the advice from The FSB (Federation of Small Businesses)

  • Have a clear desk policy
  • Lock all filing cabinets and drawers when not in use
  • If you leave your computer unattended, lock it
  • Set automatic locks on your phone and tablet and computer
  • Make sure you have secure passwords
  • Check the security of buildings where you keep data
  • Avoid using public wifi networks to access the internet

If there is a data breach, you must know how to identify, report and correct them.

  1. Register for Data Protection

In case you’ve overlooked this -it is a legal requirement to register with ICO and as soon as you start working with clients, you will be handling data.  It takes minutes and costs £40.00 so register now:

  • The first thing to do is check to see whether your business needs to register (most do but there are exceptions). You can do this by working through the ICO’s self-assessment tool
  • Next, check the status of your current registration on the ICO’s register of data controllers
  • If your business changes its legal status, e.g. from sole trader to a company, you will need to re-register as entries aren’t transferable.
  • Should you need to amend or change your entry on the register, e.g. because of a status change or you now process different types of personal data, a request can be made online or by phone
  • Don’t overlook registration; there are no excuses and failure to do so is a criminal offence.


You can’t ignore GDPR and hope it goes away.  Think of it as an opportunity to improve the way you work and interact with your clients. Do your own research and take advice from trusted sources like ICO and your professional body. Beware of the many organisations that are jumping on the GDPR bandwagon, many of whom are making it sound so complicated that you start to believe you won’t achieve it without their help!

Useful links

We cannot give you specific advice, but can give you the following links to help you to understand what is required of you:


More information is currently available on the following sites:


Further information about data protection

For more information about complying with data protection law, visit the Information Commissioner’s Office (ICO) website or phone the ICO helpline on 0303 123 1113 or 01625 545745.

Disclaimer – Just to be clear, this information is my interpretation from my research into GDPR and does not represent legal advice. 

Author – Lynn Vereenooghe, MSCM Principal



Thank you! Your subscription has been confirmed. You'll hear from us soon.