GDPR Compliance for Therapists: A Practical Data Protection Guide

The GDPR applies to every therapist who processes personal data of individuals in the EEA or UK – regardless of practice size or whether you work solo. Therapy records contain special category data (health information, mental health conditions, details of criminal behaviour disclosed in confidence), placing therapists under the strictest tier of obligations. Fines reach EUR 20 million or 4% of annual turnover under the EU GDPR, and GBP 17.5 million under the UK GDPR.

This guide covers the specific obligations, lawful bases, and practical steps therapists need. If you also treat US-based clients, see the GDPR vs HIPAA comparison below and our HIPAA compliance checklist.

Does GDPR Apply to Your Therapy Practice?

GDPR applies if any of these are true:

• You are established in the EEA or UK. Any therapist practising in an EU/EEA member state or the UK is subject to GDPR.
• You offer services to EEA/UK individuals. A therapist based outside Europe who offers telehealth to EU/UK residents must comply for those clients’ data. Merely having an accessible website does not trigger GDPR – actively marketing to or accepting bookings from EU/UK residents does.
• You monitor behaviour of EEA/UK individuals. Analytics tracking or cookies collecting data from EEA/UK visitors triggers GDPR for that processing.

UK GDPR and ICO Registration

Since Brexit, the UK operates under the UK GDPR – substantively identical to the EU version, with the ICO as supervisory authority. Most UK therapists must register with the ICO and pay an annual data protection fee:

• Tier 1 (GBP 40/year): Up to 10 staff, turnover under GBP 632,000 – covers most solo and small practices.
• Tier 2 (GBP 60/year): Up to 250 staff, turnover under GBP 36 million.

Failure to register is a criminal offence. Register at ico.org.uk and renew annually.

The 7 Key GDPR Obligations for Therapists

GDPR’s seven principles (Article 5) apply to every processing activity in your practice:

1. Lawfulness, fairness, and transparency. Have a valid lawful basis for each data category. Tell clients what you collect, why, how long you keep it, and who receives it – via a privacy notice provided before processing begins.

2. Purpose limitation. Data collected for treatment cannot be repurposed for marketing, research, or AI model training without separate legal justification.

3. Data minimisation. Collect only what you need. Review your intake forms to remove fields you cannot justify.

4. Accuracy. Keep data up to date. Clients have the right to rectification (Article 16) – correct inaccurate data without undue delay.

5. Storage limitation. Define a retention schedule. BACP recommends 6 years minimum after last contact (or until a child client reaches 25). BPS suggests 5 years for adults. State your policy in your privacy notice.

6. Integrity and confidentiality. Implement appropriate security measures: encryption at rest and in transit, multi-factor authentication, locked storage for paper records, secure disposal, and access controls. See our client confidentiality guide for details.

7. Accountability. Demonstrate compliance through documentation: a Record of Processing Activities (ROPA), lawful basis records, a breach log, and evidence of consent where applicable.

Accountability checklist:

• Privacy notice provided to all clients
• ROPA maintained
• Retention schedule documented
• Breach log maintained (even for unreported incidents)
• DPIA completed for high-risk processing (AI notes, audio recording)
• Processor agreements with all third-party tools

Lawful Basis for Processing Client Data in Therapy

You need a lawful basis under Article 6 for personal data, plus an Article 9 condition for special category (health) data.

Article 6: Which Basis Applies?

Article 9: Special Category Conditions

For health data, the most relevant conditions are:

• Provision of health care (Art. 9(2)(h)) – applies when a health professional subject to professional secrecy processes data for treatment. Therapists registered with BACP, UKCP, BPS, or HCPC can rely on this.
• Explicit consent (Art. 9(2)(a)) – for optional processing beyond core treatment.
• Substantial public interest (Art. 9(2)(g)) – safeguarding and mandatory reporting.

Key recommendation: Use contractual necessity or legitimate interests (Article 6) combined with provision of health care (Article 9) for core clinical records. Reserve consent for optional processing like audio recording or AI-assisted summaries. If a client withdraws consent and it is your only basis, you must stop processing – problematic for records you are professionally required to keep.

Client Consent, Data Access Requests, and Right to Erasure

Consent Standards

GDPR-compliant informed consent must be:

• Freely given – not a condition of receiving therapy
• Specific – separate consent per purpose (audio recording, AI analysis, supervisor sharing)
• Informed – clients know what they are consenting to and their right to withdraw
• Unambiguous – opt-in action required; pre-ticked boxes are invalid

Data Subject Rights

Clients can exercise these rights at any time:

• Access (Art. 15): Copy of all personal data you hold. Respond within one month.
• Rectification (Art. 16): Correct inaccurate data.
• Erasure (Art. 17): Delete their data – but you may refuse when legal obligations, professional retention requirements, or defence of legal claims justify continued retention.
• Portability (Art. 20): Provide data in a machine-readable format.

When erasing data, delete from all systems – practice management software, email, backups, and processor systems. Document what was deleted and your basis for doing so.

Data Breach Notification Requirements

A breach is any incident leading to unauthorised disclosure, loss, or destruction of personal data – emailing notes to the wrong person, a stolen laptop with unencrypted records, or a platform security incident.

Notification rules:

• Supervisory authority (Art. 33): Report within 72 hours unless unlikely to risk individual rights. Therapy data is special category – most breaches will meet the threshold.
• Affected clients (Art. 34): Notify without undue delay if the breach poses high risk.

Breach response checklist:

• Contain the breach immediately
• Assess affected data and individuals
• Log the breach internally (mandatory for all breaches)
• Report to supervisory authority within 72 hours
• Notify affected clients if high-risk
• Update security measures to prevent recurrence

Choosing GDPR-Compliant Practice Management Tools

You are the data controller; every tool processing client data on your behalf is a data processor. You remain legally responsible for their handling of data. Before adopting any practice management software, verify:

• Data Processing Agreement (DPA): Mandatory under Article 28
• Data hosting location: Within EEA/UK, or using approved transfer mechanisms (SCCs, adequacy decisions, EU-US Data Privacy Framework)
• Encryption: TLS 1.2+ in transit, AES-256 at rest
• Access controls: MFA, role-based access, audit logging
• Deletion capability: Permanent deletion of individual records (not just archiving)
• Sub-processor transparency: Published list with change notifications

Galenie is built with GDPR and HIPAA compliance as foundational requirements – end-to-end encryption, granular consent tracking for audio, transcription, and AI processing, EU data residency options, and permanent record deletion on request.

GDPR vs HIPAA – Key Differences for International Practices

Therapists treating clients in both the US and EU/UK must comply with both HIPAA and GDPR. Compliance with one does not guarantee compliance with the other.

Dual-jurisdiction guidance: Apply the stricter standard for each requirement. Use GDPR’s consent model for all clients, honour erasure for EU/UK clients while maintaining HIPAA retention for US clients, report breaches within 72 hours, and maintain both DPAs and BAAs. Tools with granular consent tracking help meet both standards. For more on cross-jurisdictional data protection, see our client confidentiality resource.

Next Steps

1. Audit your data processing – list all personal data collected, stored, and shared. This becomes your ROPA.
2. Document your lawful basis for each processing activity.
3. Update your privacy notice and provide it to every client.
4. Review consent forms using our informed consent guide.
5. Sign DPAs with every software vendor processing client data.
6. Register with the ICO (UK therapists) and pay the annual fee.
7. Create a breach response plan to meet the 72-hour deadline.

GDPR compliance protects your clients’ fundamental right to privacy and shields your practice from regulatory action. The investment in getting it right is far smaller than the cost of getting it wrong.