Explore Gdpr Compliance For Wellness Practitioners
GDPR for UK wellness practices: what the law requires of you, when it starts, and how to meet it without losing the plot.
GDPR for UK wellness practices: what the law requires of you, when it starts, and how to meet it without losing the plot.
Your data obligations are already running. The moment a prospective client fills in your contact form, the law has opinions about what you do next. We've written this guide for UK coaches, therapists, healers, and clinic owners who'd rather get ahead of this than receive correspondence from the ICO.
A new enquiry lands in your inbox. A prospective client has typed their name, their concern, possibly something about their back, their anxiety, or their marriage. GDPR applies to that data the instant it arrives. You are now a data controller. The first appointment is weeks away, possibly never. The legal relationship, however, has already started.
Practices often picture compliance as something kicking in once a client is properly onboarded - once the intake form is signed and the sessions are underway. The law disagrees.
Your contact form is a data collection point. So is your booking widget. So is the enquiry arriving via Instagram DM last week. Every one of these touchpoints pulls your obligations into effect:
The enquiry stage is also where most practices are most exposed, because it feels informal. A client sent a message. You replied. Lovely. And somewhere in a spreadsheet, or a Gmail thread, or a WhatsApp, their sensitive personal data is sitting in a format that would make a data auditor go and lie down in a dark room.
"The obligation doesn't wait for the intake form. It arrives with the enquiry."
Treating pre-client contact as outside the compliance perimeter is one of the most common - and most correctable - gaps in a small practice's data setup.
A properly configured contact form, paired with a clear privacy notice, is like a well-labelled filing cabinet where everything has a place.
Wellness marketing dispatches: some observations from the field:
Guides: practical guidance on this topic:
You have eleven clients. You work from a rented room on Thursday afternoons and from your kitchen table the rest of the week. The Information Commissioner's Office extends its full attention to practices of every size.
The belief that GDPR is a large-organisation problem is extremely popular and entirely unfounded. Sole practitioners - coaches, healers, independent therapists of every modality - are data controllers in the full legal sense. The duties are identical whether you have ten clients or ten thousand.
What changes with growth is complexity, not obligation. A multi-room clinic has more data flows to map, more staff to train, more systems to audit. But the foundational requirements - lawful basis, retention periods, subject access rights, breach notification - apply to you and your Thursday afternoon room with equal force.
Here's what that means in practice:
The paperwork is lighter than you'd expect; the legal exposure for skipping it sits at the same level regardless of how many rooms you rent. A sole practitioner receiving an ICO complaint faces the same investigation process as a clinic - the same timelines, the same evidential requirements, the same potential for a fine.
The size of your practice determines how much work compliance takes. A single well-organised folder of the right documents puts you in a fundamentally different position.
A proper first-aid kit fits in a shoebox.
Every time you record a client's session notes, health history, or presenting concern, you are processing special category data under UK GDPR. Doing so without a documented lawful basis is a compliance failure, full stop.
The phrase "lawful basis" sounds like the kind of thing living in a legal textbook, rarely troubling real people. It's the structural answer to a very simple question: why are you allowed to hold this data?
For most wellness practices, the relevant bases are:
The catch - and compliance has one in almost every room - is that consent alone is insufficient for special category data. Article 9 of UK GDPR requires an additional condition. For most therapy and coaching practices, that condition is explicit consent, or substantial public interest in the case of health professionals operating under a professional body's framework.
Many practices have "we ask clients to sign a form" as their entire data governance position. The form may be fine. The missing piece is the documented decision about which lawful basis applies, and why. That documentation is what the ICO looks for when something goes wrong - the reasoning behind the form, not the form itself.
Getting this right is less arduous than it sounds. A one-page processing record, kept with your practice documents, is enough. Completing it feels like finding a ten-pound note in a coat you haven't worn since February.
Your privacy notice states you hold client records for seven years. A former client's file is nine years old and sitting in a folder you haven't opened since the coalition government. The gap between your stated policy and your actual data is an auditable discrepancy.
Retention periods are one of the few areas of GDPR compliance where the fix is almost entirely mechanical. You decide how long to keep records - informed by your professional body's guidance, your insurer's requirements, and the nature of the work - you write it down, and then you delete records when the period expires.
The ICO's concern isn't primarily with how long you've chosen to keep data. It's with whether you keep it for the time you said you would and delete it when that time is up. A practice retaining data indefinitely, despite a privacy notice promising otherwise, has created a documentable inconsistency.
Naming a retention period in your privacy notice and adhering to it removes an entire category of enforcement risk. It also forces a useful discipline: periodic review of what you actually hold, for whom, and why.
Recommended starting points for most wellness practices:
A calendar reminder and a well-labelled archive folder will handle most of this. Set the review date. Keep the appointment with yourself. A practice that deletes records on schedule is a bookshelf where everything on it belongs there.
You wrote your privacy notice in 2021. It mentions your old booking system, references an email address you no longer use, and describes a data retention policy changed when your professional body updated its guidance last spring. Your privacy notice currently describes a different practice.
The ICO treats your privacy notice as a legal commitment. When an investigation or complaint arises, one of the first things examined is whether your stated practices match your actual ones. A notice drafted at launch and never revisited will drift from operational reality within a year. That drift is auditable.
Practices evolve. You add a scheduling tool. You switch payment processors. You begin offering a group programme and collect data from participants in a new way. Each of these changes potentially requires an update to your privacy notice.
Treating your privacy notice as a document with a maintenance schedule, not a publication date, keeps your compliance posture accurate. In practical terms, this means:
The annual review need not take long. An hour with the document and a list of the tools you currently use will surface most of the gaps. A notice that's accurate today and inaccurate next March is a problem on a timer.
Checking your smoke alarm batteries takes four minutes and you remember it for months afterwards.
You lovely thing: some of the fields we serve:
Your intake form asks for health history, medication, GP details, and a presenting concern. Your privacy notice says you collect contact information for the purposes of scheduling. These two documents are currently contradicting each other - and that contradiction is the most commonly overlooked compliance gap in small wellness practices.
The intake form is where the data arrives. The privacy notice is where you've told the client - and the ICO - what data you collect and what you do with it. When one outpaces the other, the gap is a legal inconsistency.
Clients presenting sensitive health information deserve to know, before they hand it over, exactly how you'll use it, who might see it, how long you'll keep it, and what their rights are. Your privacy notice delivers that information. Your intake form is the moment it matters most.
The fixes are straightforward:
A well-matched intake form and privacy notice create a coherent, defensible paper trail from first contact to last session. They also tell the client something important: the practice they've chosen handles their information with care and clarity.
Practices often drafted one document and then built the other separately, months apart, with different priorities in mind. Bringing them into alignment is a careful cross-referencing exercise. The map and the territory end up describing the same place.
Your client books through an online scheduling platform. Their name, email address, and appointment type - possibly their presenting concern, if you've customised the booking form - are now held by a third-party processor. Your client hasn't been told this, and that omission is a compliance liability.
UK GDPR requires you to inform clients when their data is shared with third parties, and to identify who those parties are. A client who later discovers their health-adjacent booking data was processed by a platform they'd never heard of can file an ICO complaint. The ICO will then ask you to demonstrate adequate notice was given. "It was in the terms and conditions" is rarely a sufficient answer.
The complaint process alone costs the practice time - days, in many cases. An ICO investigation requires written responses, document retrieval, and demonstrated compliance. A practice with no paper trail spends that time reconstructing one under pressure, which is precisely as enjoyable as it sounds.
Full, named disclosure about third-party processors in your privacy notice is the direct answer to this risk. Clients are, in most cases, entirely comfortable with their booking data going to a scheduling platform. What matters is they were told.
Your privacy notice should name the categories of third-party processor you use - booking systems, payment processors, cloud storage providers, email platforms - and state the purpose for which their data is shared. If a processor is based outside the UK, you'll need to address international transfer safeguards as well.
This is the section of GDPR compliance surprising practitioners most, because the platforms themselves often feel invisible. A booking widget is a door and the data walks through it - your clients are owed a map of where it goes.
A former client emails you. They want a copy of everything you hold about them. You have 30 calendar days to respond - and that clock started when the email arrived.
A Subject Access Request, or SAR, is a legal right. Any individual whose data you hold can exercise it. The request doesn't have to use the words "Subject Access Request." It doesn't have to arrive in any format. You'll recognise it when you see it, and the moment you do, you are on the clock.
For practices with well-organised records, this is manageable. For practices whose client data lives across a Gmail inbox, a notes app, a Google Drive folder, a paper file, and a booking system they're not entirely sure how to export, it becomes a frantic month of archaeology. (One client, apparently, enquired twice and their records are in two different places. This is very normal and very unhelpful.)
A workable SAR process looks like this:
Practices knowing where their data lives can respond to a SAR in hours. This compliance requirement doubles as operational hygiene: the same organisational clarity letting you respond to a SAR also lets you find last month's session notes when you need them.
A retrieval map - a single document listing every location where client data exists - turns the one-month deadline from a sprint into a stroll.
Practices often discover their compliance gaps in the worst possible order: during a complaint, an investigation, or the anxious hours after a suspected breach. A simple annual data audit reverses that sequence entirely.
The audit doesn't need to be elaborate. A structured review, conducted once a year, covers the ground mattering most for a small practice:
Each of these checks takes minutes when conducted as a planned exercise - and a day and a half when conducted in response to an event. The audit is the practice equivalent of servicing your boiler before winter: the work is the same, the timing makes everything different.
Practices building the data audit into their annual admin calendar treat compliance as a running condition. They find the expired consent form before the client asks about it. They spot the unlicensed processor before it appears in a complaint. They delete the records two years overdue before anyone notices.
A single morning a year, properly structured, keeps the house in order.
Your session notes, health intake forms, and payment records are in the same folder on your desktop. The folder is called "Clients." It has no password. A breach of that folder triggers a mandatory ICO notification within 72 hours.
UK GDPR classifies health data as special category data - the highest tier of protection. Payment records carry their own regulatory weight. Storing them together in an unsecured location creates a single point of failure: one compromised laptop, one phishing email, one misdirected cloud sync, and every category of your most sensitive data is exposed simultaneously.
The 72-hour notification window is the detail focusing the mind. If a breach meets the threshold for reporting - and a folder of health and payment data almost certainly does - you have three days to notify the ICO, document the breach, assess the risk to affected individuals, and consider whether those individuals need to be informed directly. Three days is a very short time to do all of that.
Practical steps materially reducing this risk:
Separating data categories and securing storage removes the single-point-of-failure risk making a breach both more likely and more consequential. The steps are achievable in an afternoon and do not require a data protection officer, a large budget, or any advanced technical confidence.
A well-organised, secure data setup is a locked front door: unremarkable until the moment it matters enormously.
A generic GDPR template downloaded from a legal website describes a practice processing data in one way, holding one range of records, and using one set of tools. That practice is almost certainly not yours.
The obligations applying to a somatic therapist working one-to-one with adults differ from those facing a group programme facilitator who also sells digital products to an email list of two thousand people. The data flows are different, the lawful bases may differ, and the third-party processors involved are likely entirely different. A single template cannot serve both without significant customisation - and uncustomised templates get spotted.
A practice-focused compliance map covers:
We map the GDPR obligations applying to your practice's size, service model, and data tools - so the output is a compliance framework built around what you do, not what a template assumed you might do.
The result is a set of documents and processes you can stand behind - because they describe you with precision, reflect your real data flows, and meet the legal standard applying to practices of your type and scale.
A compliance framework built for your practice is a key cut for your lock: it works every time.
Explore deep dives in this area further:
Clients hand over their most sensitive information and deserve to feel settled about having done so. Book a discovery call and we'll map the compliance requirements applying to your practice, so you finish with a framework that's accurate, defensible, and yours.
The best practitioners always find their way here. We have a story garden, a listening wind and a visual river waiting to make sense of themselves - they do, beautifully, in a twenty-five-minute conversation over a good coffee. How do you take it?
≡