GDPR for Therapists: The 2026 Compliance Checklist to Avoid ICO Fines

Q: Do therapists need GDPR compliance in the UK?

Yes. Any UK therapist who processes personal data must comply with GDPR and the UK Data Protection Act 2018. Health data is special category data under GDPR Article 9, requiring additional safeguards.

Q: Does my therapy website need to be hosted in the UK or EU for GDPR?

GDPR requires personal data stays within the EEA or countries with adequate protection. US-based hosting is subject to the US CLOUD Act, which conflicts with GDPR. Hosting in the EEA with a GDPR-compliant DPA is the safest approach.

April 5, 2026 • Updated May 9, 2026 • 12 min read

As a health practitioner in the UK, you handle sensitive personal data every day. Session notes, contact details, medical histories — all of this falls under GDPR protection. Non-compliance isn't just a legal risk; it's an ethical failure. And with ICO fines reaching up to £17.5 million, it's a financial one too.

This guide walks you through the practical steps to achieve GDPR compliance without drowning in bureaucracy. Bookmark it. Use the checklist. Sleep better.

1. What Personal Data Do Therapists Hold?

GDPR applies to personal data — any information that can identify a living person. For therapists, this includes:

Name, address, phone number, email
Session notes and recordings
Payment information
Health information (classified as special category data — higher protection required)
IP addresses from your website visitors

Special Category Data: Health information requires additional safeguards under GDPR Article 9. You must have explicit consent or a legal basis (e.g., professional obligation) to process it. This is not optional.

2. Lawful Basis for Processing Client Data

Under GDPR Article 6, you need a lawful basis to process personal data. For therapists, common bases include:

Contract: Processing necessary to provide your services.
Legal Obligation: Keeping records for professional indemnity or regulatory requirements (e.g., BACP requires 7-year retention).
Legitimate Interests: Marketing to existing clients (with opt-out rights).
Consent: For optional communications (newsletters, follow-ups).

3. Data Minimization: Collect Less, Risk Less

Only collect what you need. Don't ask for unnecessary details on your contact form. Don't store session notes longer than required.

Best Practice: Set a retention policy. For example: "Session notes retained for 7 years (BACP professional requirement), then securely deleted." Document this in your privacy policy.

4. Security Measures Your Practice Must Have

GDPR Article 32 requires "appropriate technical and organisational measures." For therapists, this means:

Encryption: All data in transit (TLS/SSL) and at rest (encrypted storage).
Access Control: Only you (and authorised staff) can access client data.
Backups: Regular, encrypted backups stored securely.
Device Security: Password-protected devices, automatic lock screens.
VPN: Use a sovereign VPN when accessing client data on public Wi-Fi.

Avoid: Storing client data on Google Drive, Dropbox, or email services that scan your content for advertising. These violate GDPR data sovereignty requirements. See our Proton Drive privacy policy breakdown for why Swiss jurisdiction matters.

5. The Privacy-First Toolkit for UK Practitioners

Compliance isn't just about rules; it's about using the right tools. Here is a secure stack for UK practitioners:

Secure Email: Use Proton Mail for all client correspondence. End-to-end encryption ensures no third party can read your messages.
Secure Storage: Store session notes and files in Proton Drive. Files are encrypted before they leave your device.
Strong Passwords: Use Proton Pass to generate and store unique, complex passwords for every service.

🔒 Secure Your Entire Practice

Get full access to Proton Mail, VPN, Pass, and Drive with one subscription.

Get Proton Unlimited (64% Off)

Support Clear Practise: Using this link helps fund our privacy advocacy work.

6. Transparency & Privacy Notices

Clients must know how you use their data. Your website should include:

A clear Privacy Policy explaining what data you collect and why.
Cookie consent (if you use any tracking — ideally, don't).
Contact details for data protection inquiries.

7. Client Rights Under GDPR

Under GDPR, clients have the right to:

Access: Request a copy of their data.
Rectification: Correct inaccurate data.
Erasure: Request deletion ("Right to be Forgotten") — unless you have a legal obligation to retain records.
Portability: Receive their data in a machine-readable format.

GDPR Compliance Checklist for Therapists:

☑ Privacy Policy published on website
☑ Data retention policy defined (e.g., 7 years)
☑ Encryption enabled for all data (Email, Storage, Hosting)
☑ Secure backup system in place
☑ Staff trained on data protection
☑ Data processing agreements with any third parties
☑ Breach response plan documented

8. Data Breach Response: The 72-Hour Rule

If a breach occurs, you must report it to the ICO within 72 hours if it poses a risk to individuals. Have a plan ready:

Contain the breach immediately.
Assess the risk to affected individuals.
Notify the ICO (if required).
Notify affected clients (if high risk).
Document everything for accountability.

9. Choosing GDPR-Compliant Hosting

Your website and client data must be hosted on infrastructure that meets GDPR requirements:

EU/UK Jurisdiction: Data must stay within the EEA (or have adequate protection agreements).
No US Cloud Providers: AWS, Google Cloud, and Azure are subject to the US CLOUD Act, which conflicts with GDPR.
Encryption: Provider must offer encryption at rest and in transit.
Data Processing Agreement (DPA): Provider must sign a GDPR-compliant DPA.

From Compliance Requirements to Compliant Infrastructure

Reading the requirements is one thing. Meeting them is another. If your website is currently hosted on a US-based shared platform, you are already failing Section 9 of this guide.

Clear Practise was built to solve this exact problem. Our sovereign hosting in Finland keeps your data inside the EEA, encrypted at rest and in transit, with no US cloud dependency and no shared resources. We provide the infrastructure that makes your GDPR compliance credible — not just theoretical.

See GDPR-Compliant Hosting Plans

Frequently Asked Questions

Do therapists need GDPR compliance in the UK?

Yes. Any UK therapist who processes personal data — including client names, session notes, payment details, or health information — must comply with GDPR and the UK Data Protection Act 2018. Health data is classified as 'special category data' under GDPR Article 9, requiring additional safeguards.

What are the ICO fines for GDPR breaches by therapists?

The ICO can impose fines of up to £17.5 million or 4% of annual global turnover for serious GDPR breaches. For health practitioners, the risk is heightened because health data carries special category status. Even minor breaches involving client session notes or insecure email can trigger enforcement action.

Is Google Drive GDPR compliant for therapist client notes?

No. Google Drive scans file contents for advertising and security purposes, which constitutes data processing without explicit consent. Under GDPR, health data requires end-to-end encryption and minimal processing. Encrypted alternatives like Proton Drive, which cannot read your files, are the compliant choice for therapists.

Does my therapy website need to be hosted in the UK or EU for GDPR?

GDPR requires that personal data stays within the EEA or is transferred only to countries with adequate data protection. US-based hosting (AWS, Google Cloud, Azure) is subject to the US CLOUD Act, which conflicts with GDPR. Hosting in the EEA — such as Finland — with a GDPR-compliant Data Processing Agreement is the safest approach.

10. Ongoing Compliance

GDPR isn't a one-time checklist. It's ongoing:

Review your privacy policy annually.
Train staff regularly on data protection.
Test your breach response plan.
Audit third-party vendors for compliance.

Ready for GDPR-Compliant Hosting?

Join the Founding 15 and get a GDPR-compliant website with sovereign hosting, encrypted storage, and lifetime priority support.

Claim Your Spot