GDPR sets out the main principles of data protection and the responsibilities organisations have when handling personal data. It protects individuals’ personal information and improves their control over how it is collected, stored, shared and used.
GDPR is complex and you may wish to seek professional advice from a legal expert in data protection. They will be able to clarify the finer points of GDPR requirements and what it means for your organisation or practice.
For the latest information, see the Information Commissioner’s Office (ICO) website, which has lots of resources from basic tools to detailed guides. It's worth checking back regularly as GDPR information is still being updated.
Do I need to register with the ICO?
All businesses (including sole traders) that process personal information electronically must register with the ICO and pay a fee. A new fee charging structure came into effect on 25 May 2018, to coincide with the GDPR.
See Register on the ICO website.
I only keep paper records. Do I need to register with the ICO?
If you don’t process any personal information electronically - so no email, no texts or contact details on your phone, no audio recordings for example - then you don’t have to register with the ICO. You do still have to comply with GDPR.
Do the same rules apply to paper records and electronic records?
Broadly speaking the same regulations do apply. But it’s almost impossible not to keep some personal data electronically (for example in emails, audio recordings), so if you keep paper records you have the added complexity of maintaining both paper and electronic media.
See Key definitions on the ICO website.
How long should I keep my records for?
GDPR does not set specific time limits but requires that you only keep information for as long as is necessary for the specific reason that you originally collected it. So you will need to decide how long you need to keep personal data.
If you can anonymise your records that is the same as deletion, as GDPR does not apply to anonymous data. But the information must be truly anonymous so that there is no way that the data subject can be identified.
You should also consider whether you can minimise a record after a certain time. So can you delete some of the information you hold on a client (especially the more sensitive information) and just retain limited data.
Further points to consider include:
- whether the data in your records is covered by any legal or regulatory requirements
- whether your indemnity insurers specify a time period
- your organisational policies
- the time limits for raising a complaint against a therapist (currently three years after counselling has ended under our Professional Conduct procedure)
What is pseudonymisation?
This is basically a reversible anonymisation. For instance, you could remove all personal identification from your records, such as name, address, email, and keep these fields in a different system (preferably held on a completely separate system, possibly a paper notebook). You would use a ‘pseudonym’ to connect the two systems. This also makes the eventual anonymisation of the record easier as you only need to delete the secondary record.
Pseudonymised records are still defined as personal data under GDPR but, as long as the two elements are kept physically separated, the risks are reduced. Any data breach would be considered less serious if the records compromised had been effectively pseudonymised.
How should I destroy or delete records?
This depends on how your records are stored. Paper records holding personal data must be shredded. Electronic records can be more difficult as you must ensure the data cannot be ‘un-deleted’ or restored from backups.
See Deleting personal data on the ICO website.
Do I need to contact previous clients if I still have their records?
This partly depends on what you told the clients when you originally collected their information. It also depends on what retention period you have decided on.
Once you’ve minimised and anonymised as much data as possible, if:
- you can still justify holding personal data about the client and
- you did not explicitly explain this to the client when you collected it
then you ought to contact the clients to explain your policy and allow them to ask for their personal data to be deleted.
This is particularly important if you retain any data classified as ‘special category’. You should certainly explain this in your privacy statement so that former clients can easily find out what data you are keeping about them.
See Special category data on the ICO website.
What do I need to include in a privacy statement?
Your privacy statement (or privacy notice) is possibly the most important part of your GDPR compliance. Transparency is fundamental to data protection and your privacy statement is the main way you can achieve.
Your privacy statement should be as thorough as possible. You must avoid jargon and write it in terms your clients will understand. You must explain what personal data you keep, how long you keep it, what you do with it and who you share it with. Look at it from the client’s point of view to ensure it’s easy for them to find the information they need.
See The right to be informed on the ICO website.
Are there additional considerations when working with children and young people?
Yes, GDPR is more complex if you’re dealing with the personal data of children and young people. This also overlaps with safeguarding policies, so if you already adhere to strict safeguarding principles you will probably not have to make significant changes to comply with GDPR.
See Children on the ICO website.
General questions about GDPR
What's GDPR about?
If a company has legitimately collected some personal information from or about you - such as your home address, medical history, religion or ethnic background - you'd want them to keep it secure and not misuse it or pass it on inappropriately.
GDPR is about protecting information so that those news stories about very sensitive personal records being lost or made available to others can't happen.
Why does the law need an update?
Since the DPA 1998 came into effect there have been significant advances in technology, social media and digital networks - Google, Facebook, Twitter, Snapchat and Instagram didn’t exist back then. GDPR brings the law up to date to address new and emerging data threats, and will bring consistency throughout the EU and worldwide for organisations seeking to do business with EU citizens.
Does it apply to me?
No matter what your business is, every UK and EU company or service is likely to hold some personal data, so will need to be GDPR compliant.
You need to be sure that your customers’ or staff's personal information is protected according to the legal requirements, as there are substantial penalties for not complying with GDPR.
I’m self-employed and have a private practice at home. Does GDPR apply to me?
If you process personal data solely within your own personal life or for household activities, GDPR doesn’t apply. But if you undertake any commercial activities, even if you’re a sole trader working from home, it's highly likely that you will be subject to GDPR.
There are some exemptions for organisations with less than 250 employees - see Self-assessment on the ICO website for more information.
What are the penalties for non-compliance?
For Tier one incidents, which relate to the organisation's obligations, the fine is up to €10 million, or 2% annual global turnover (whichever is higher).
For Tier two incidents, which are incidents affecting an individual's privacy rights, the fine is up to €20 million, or 4% annual global turnover (whichever is higher).
The fines are discretionary, not mandatory, and are made on a case-by-case basis. When deciding which tier applies and what the resulting fine should be, the ICO must consider many factors including:
- the extent of the damage
- what data was involved
- the data protection policies and procedures of the organisation
- any mitigating and corrective actions taken following the infringement
- if any previous incidents have been caused by the organisation
Individuals have the right to material and non-material compensation.
What are the main differences between GDPR and the DPA 1998?
GDPR provides a more comprehensive framework for data collection, processing and storage. The penalties for getting it wrong are also much more severe.
GDPR gives individuals more control over the data held on them. It introduces tougher fines for privacy breach and non-compliance, and there are some key changes, such as the age of minors.
- An individual’s consent over how their data is processed is given a higher standard. Consent must be quite clear and freely given, and can be withdrawn. Consent must be a positive opt-in, so pre-ticked boxes alone will no longer be sufficient. Individuals have the right to know in detail how their personal data is processed, used and shared. (Consent is not the only reason for processing data - there are other reasons such as ‘legitimate interests’.)
- Individuals have greater rights, including the right to have their data corrected or erased, to restrict the processing of their data and to reclaim their personal data and send it on elsewhere. Reasonable requests are free of charge and must be met within a month.
- The ICO must be notified about any breaches where there may be a risk to the rights and freedoms of individuals. All breaches must be recorded even where notifying the ICO isn’t necessary.
- The fines for organisations which don’t get it right can be much larger than previously (up to 4% of annual worldwide turnover and €20 million).
- Some organisations will have to appoint data protection officers to oversee their data processing activities.
- Data controllers will have to have written contracts with any data processors they appoint.
It will remain a legal requirement for data controllers to pay the ICO a data protection fee, but you will no longer have to register your data processing activities with the ICO.
What do I need to do about GDPR?
There's no need to panic if you're not yet fully compliant, but you should at least have a roadmap of how you're going to achieve compliance.
If you've not already done so, your starting point should be to introduce a transparent privacy statement for all your clients. The ICO website provides more information about privacy statements with examples of good and bad privacy notices.
Things to consider
What data do you hold?
Conduct an audit. Do you know what personal data you hold, where it comes from and who you share it with?
How do you respond to data requests?
Make sure that your procedures are up to date with GDPR requirements. How will you handle requests to see personal data within GDPR timescales and provide any additional information?
What is your legal basis for processing personal data?
Consider the various types of data processing you carry out. Identify and document your legal basis for doing these.
How do you seek, obtain and record content? Do you need to make any changes?
How can you be sure of individuals’ ages? Consider what systems you will need in place to gather consent for those who cannot give it themselves.
What procedures do you need to identify a breach, report it and carry out an investigation? Do you know what to disclose, when and to who?
Data protection by design and impact assessments (DPAs)
Make sure you are familiar with the specific guidance produced by the ICO. Where and how should you implement DPAs in your business?
Data protection officers
Do you need to designate a DPO? If so, where should the responsibility sit within the organisation and who will hold it?
Are all decision makers and key people in your organisation aware of GDPR? Do they appreciate the impact that this is likely to have?
If you operate internationally, make sure you know which supervisory authority you come under for data protection.
How can I check if I am GDPR compliant?
The ICO compliance self-assessment may help you.
Good Practice in Action resources
- Legal resource: GDPR legal principles and practice notes GPiA 105
- Legal resource: Ownership and storage of records GPiA 071
Information Commissioner’s Office (ICO) resources
EU GDPR text and information
New data protection regulations
The General Data Protection Regulations will change how we can store and use client data. Susan Dale explains. Therapy Today, March 2018
An upgrade for data privacy?
Open article: Peter Jenkins examines the changing legal framework surrounding the General Data Protection Regulation and explains the implications for therapists and organisations. Counselling at Work, January 2018
General data protection regulation (GDPR) and CYP
Open article: Barbara Mitchels and David Membrey discuss the impact, issues and misunderstandings of GDPR, focusing on some of those relevant to working with children and young people. BACP Children, Young People and Families, December 2018