GDPR: The Basics

On May 25th 2018, the General Data Protection Registration (GDPR) replaced the Data Protection Act (DPA). Whilst getting my head around the new regulations has been frustrating (to put it lightly!), the introduction of GDPR is certainly a good thing; we’ve all read the stories in the media about how personal data has been misused, and I’m sure I’m not the only person who was getting a little tired of receiving unsolicited e-mails every single day. Knowing our data is being used correctly and with consideration is a positive move in the right direction.

So how does GDPR influence counsellors and psychotherapists in private practice?.

Firstly, it helps to understand exactly what has changed. If you are familiar with the DPA, you’ll see that not much has changed. The Act has simply been amended to account for the vast advances in technology, as well as legal changes over the last few decades.

GDPR is here: you’ll know that because of all the e-mails you’ll have had from everybody and his dog, begging for you to let them keep in touch with you. Ensuring that you are GDPR compliant is not something that you ‘get round to later’, unless you are happy to risk getting a hefty fine.

Ok, so what exactly do you need to do to become GDPR compliant? Reading through the GDPR is confusing, as they do not give any definitive answers, as each individual person/organisation/circumstance is different. As with the DPA, you need to use your own judgement, and be able to clearly and concisely justify your decision-making with regards to the personal data you store and/or process. Whilst reading up on the subject is certainly recommended, here are some of the very basics that you need to consider:

Does GDPR apply to me?

The simple answer is yes. GDPR concerns personal data, and so if you have ever had a client and have recorded any of their personal information - right down to their name - then you are storing data, and so GDPR does apply to you and you need to ensure that you are storing this data correctly.

Do I need to register with the ICO?

Unless you are keeping absolutely no electronic records that contain an individual’s personal data (e-mails, website contact forms, telephone/text contact) then you need to register with the Information Commissioner’s Office (ICO). The fee is £40 for the year, and you can register here. When registering, you will be asked if you also need to assign a Data Protection Officer (DPO). Whilst you don’t necessarily need a DPO for private practice with no employees, there is no additional fee for registering yourself as a DPO and so there is no harm in doing so, and indeed it goes some way to showing how seriously you are taking people’s data privacy if you are registered.

What if I don’t/won’t keep any electronic records?

Perhaps you might consider not keeping any electronic records (though how you can avoid that, isn’t something I can envisage) as a way of avoiding the ICO fee, you also need to consider the data portability element of the GDPR. This requires that you can provide information held about individuals to them swiftly, using a commonly-used electronic format. So, if you are only using pen and paper, you need to think about making some changes.

So what do you need to do?

  • 1. Audit the data you already hold.

    You need to spend some time considering where you hold personal information about clients (or potential clients). This isn’t as simple as reaching for the box file on your shelf and shredding old client notes. Do you have phone numbers stored in your phone? Names written down in your diary? Names of clients within supervision notes? You need to think about whether or not you have a legitimate reason under a lawful basis for storing this data.

  • 2. Consider the lawful basis for storing data.

    You need to have a legitimate reason for storing personal data. For the purposes of consent is the reason that makes sense to me. When you start working with a client, you will typically ask them to sign a contract, within which you will make clear your confidentiality policy. Within this policy, your client needs to understand that if you are worried about them, you might need to contact somebody to voice your concerns. Let’s say you tell them you’ll contact their GP. To do that, you need their GP’s name, as well as your client's name - there’s your legitimate reason. In addition to this, when a client begins counselling, they will expect that you will contact them to arrange appointments and so of course you will need their contact information in order to do this. When a client signs their consent, they agree to this.

    Beyond personal information, you also need to consider your therapy notes, session summaries and any background information you have sought from your client. Whilst it makes sense for you to have this data in the interests of providing a good service, this information is more sensitive, special category data, and so you need to consider how and where you are going to store it. It is generally advisable that contact details and content notes are stored separately; if you are going to anonymise your content notes - even better.

  • 3. Delete what is not needed, and protect what is.

    Now you have sifted through all the personal data you can find, it’s time to put it where it should be under your new guidelines. You need to consider the following:

    • Data is up to date and you are justified in storing it
      It is your responsibility to ensure that the data you store is up to date. It is also your responsibility to ensure that you are not holding data for longer than is required. GDPR does not set out guidelines for how long you should retain data, but your insurance provider will; check with them for guidance on how long you need to retain data for to meet your obligations.
    • You are storing data correctly
      You need to make sure that you are storing data securely. Can you make sure that data you hold is only accessible by you? Have you put measures into place to protect against loss or destruction of data? It is your responsibility to minimise the risk of a data breach.
  • 4. Privacy Policy

    Now that you have considered your legal obligations for storing and processing data, and have made sure that all the data you already have is stored justifiably and securely, you need to consider writing a privacy policy to show your clients. GDPR states that we need to be totally transparent with clients (and potential clients), by making it clear to them exactly what personal information you will seek to obtain, what your legal basis for doing so is, how you will use their data, how you will store their data, and how you will destroy their data. Clients will need to consent to your GDPR policy, and state that they are happy for you to use their data in the ways you have described to them. It it better to have this as a separate document, rather than an addendum to your contract.

    Your privacy policy, as a minimum, needs to include:
  • The data controller’s name (your name or your business name)
  • What personal data are you seeking to collect?
  • Why are you seeking to collect this personal data?
  • What are you going to use personal data for?
  • In what circumstances will you share personal data?
  • Who can you share personal data with, and what is your legal justification for doing so?
  • How long are you going to store data for?
  • How are you going to store data?
  • How will you delete data when it is no longer needed?

  • A further essential part of your privacy policy is making clients and potential clients aware of what their rights are within GDPR. Their rights are as follows:

    • To be informed of what data about them is stored
    • To request to see information stored about them
    • To have incorrect or inaccurate information rectified
    • To withdraw consent for use of personal data
    • To request that personal data is erased
    Within your privacy policy, you also need to consider how your website collects and stores data. You need to provide details of whether or not your website uses:
    • Cookies
    • Website analytics
    • Google analytics
    • Plug-ins
    • Links to third-party sites
    You also need to consider what information you seek to obtain via your website. Do you have a ‘contact me’ form, If so, what information are you seeking to collect with that form? Is it necessarily, relevant, and adequate?

    This is just a brief (!) overview of the basics of GDPR and the aspects of it that you need to consider as a practitioner in private practice. I am not a legal professional, and nor am I a GDPR expert; the above is simply a summary of what I have learned from adjusting my own practice to comply with GDPR. For more information, have a look on the ICO’s website.