Blog  /  Compliance guide
Compliance Therapy & Counselling UK

GDPR for Private Practice Therapists: What You're Probably Getting Wrong

Most solo therapists in the UK have a few quiet GDPR gaps in their practice — and they don't know it. Here's a plain-English guide to what the law actually expects.

8 min read For private therapists & counsellors

Let's start with the truth. If you're a private therapist running a solo practice in the UK, there's a very good chance some part of your setup is not GDPR compliant.

This isn't because you've done anything wrong on purpose. It's because the rules are dry, the language is full of legal jargon, and nobody in your training spent a whole afternoon explaining what "data minimisation" actually means in real life.

So let's fix that. No legal language. No scary warnings. Just a clear walk-through of the bits most therapists get wrong — and what to do about each one.

CLIENT DATA · LOCKED MINIMISE PROTECT BE HONEST DELETE WHEN DONE The four things GDPR actually asks of you.
GDPR boils down to four ideas — most therapists already follow the spirit of them.

What GDPR actually means (in plain English)

GDPR stands for "General Data Protection Regulation". It's the law that decides how you're allowed to store and use information about your clients in the UK.

In plain words, it says four things:

  • You can only collect information you actually need
  • You have to keep it safe
  • You have to be honest with clients about what you're doing with it
  • You have to delete it when you no longer need it

That's it. Most therapists already follow the spirit of these rules. The problem is in the details.

Gap 1 — Your client notes are in the wrong place

This is the most common mistake. Therapists keep client notes in:

  • A Google Doc
  • A folder on a personal laptop
  • A locked notebook in a drawer
  • An email thread with the client

None of these are properly safe on their own. Google Docs are stored on US servers. Personal laptops are rarely encrypted. Notebooks can be lost or stolen. Email is one of the least secure ways to send sensitive information.

What you need is a system designed for client records — one that keeps the data inside the UK or EU, locks it down, controls who can access it, and has a proper backup.

This is one of the things a modern booking system for small businesses can handle. Your notes, intake forms, and session history live in one secure place, with proper access controls, instead of scattered across five different apps.

Gap 2 — Your intake forms are emailed PDFs

Most therapists use a PDF intake form. The client downloads it, fills it in, and emails it back.

This is a problem. Email is not secure. The form contains some of the most sensitive information a person will ever share — mental health history, medication, family background. Sending it through Gmail or Outlook is the digital equivalent of shouting it across a coffee shop.

— SECURE Private link · encrypted · UK servers — EMAIL STAMP Anyone in the chain can read it. Email is the postcard. A proper form is the envelope.
Email is the postcard. A proper form is the envelope.

The fix is to use a secure intake form. Good scheduling software for small businesses will give you one. The client fills it in through a private link. The data goes straight into your system. No email. No downloads. No "hope nobody forwards this by mistake".

Gap 3 — You don't have a privacy notice (or yours is wrong)

GDPR says you have to tell clients, in writing, what you're doing with their data. Most therapists either:

  • Don't have a privacy notice at all
  • Have one copied from another therapist's website that doesn't quite fit
  • Have one buried at the bottom of their website that no client has ever read

A proper privacy notice answers a few simple questions:

  • What information do you collect from clients?
  • Why do you collect it?
  • Where do you keep it?
  • How long do you keep it for?
  • Who else can see it (a supervisor, your accountant)?
  • How can the client see, change, or delete their data?

You don't need a lawyer to write one. You just need to answer those questions honestly, in plain English, and make sure clients see it before they share any information with you.

Gap 4 — You're keeping notes for too long

GDPR says you can only keep information for as long as you actually need it. For therapists, that's tied to your professional body's record-keeping rules.

For example, the BACP sets a retention period for client notes after the last session. Once that period is over, your obligation flips. You're not just allowed to delete the notes — you're expected to.

Most solo therapists never delete anything. Their laptop has every client note from the last decade.

Set a yearly review. Once a year, look at your records. Anything past the retention period gets deleted, properly and permanently. Not just the file on your laptop — the backups, the cloud copies, the email trail, all of it. Your records system should make this a one-click job, not a panic-inducing weekend project.

Gap 5 — Your "system" is actually five different apps

This is the quiet GDPR risk most therapists don't see.

You take bookings on one tool. You write notes in another. You send invoices through a third. Your forms come in by email. Your reminders go out through your phone.

Every one of those tools holds a piece of your client's data. Every one of them is a separate place where something could go wrong. Every one of them needs its own privacy policy, its own security check, and its own delete button.

— FIVE TOOLS, FIVE LEAKS BOOKINGS NOTES INVOICES FORMS REMINDERS — ONE SYSTEM AASURE BOOKINGS NOTES INVOICES FORMS REMINDERS One privacy policy. One delete button.
Fewer tools means fewer cracks for things to slip through.

This is exactly why an all-in-one business management software changes the picture for solo practices. When bookings, notes, forms, payments, and messages all live in one secure place, you have one privacy policy to write, one system to lock down, and one button to press when a client asks for their data.

Where to start this week

You don't need to fix everything at once. If your practice has gaps, start here:

Five-step GDPR tidy-up
  1. Move client notes off Google Docs and personal laptops into a proper, UK-based records tool
  2. Replace emailed PDF intake forms with a secure online form
  3. Write or update your privacy notice in plain English and put it on your booking page
  4. Set a yearly date in your calendar to review and delete old records
  5. Audit the tools you use — and ask whether one good system could replace three half-good ones

GDPR isn't there to punish therapists. It's there to protect the people who trust you with the most sensitive parts of their lives. The good news is that getting it right also makes your practice calmer, cleaner, and easier to run.

You trained to help people. The compliance admin was never supposed to be the job. It's time to stop letting it be.

Run a calmer, compliant practice.

Aasure is an all-in-one platform built for small service businesses — handling bookings, secure intake forms, client records, and compliance automatically.

Start your free trial →

Related reading

Software Salon & Studio Software, Built for the Solo Operator How-to How to Write a No-Show Policy That Clients Respect
← Back to blog