The £2-a-month question: what does GDPR compliance actually cost a therapist?

Therapists in private practice are, by and large, not running large organisations. Most see somewhere between ten and thirty clients per week. Many work from a home office or a rented room. The idea of spending significant time or money on data protection compliance sits uneasily with the economics of a small private practice.

So what does compliance actually cost? The answer varies considerably depending on which route you take.

Option 1: Do nothing — £0, ongoing risk

The cheapest option in the short term is to do nothing. No privacy policy, no data protection documentation, no ICO registration.

The costs here are non-financial but real. A prospective client who cannot find your privacy policy may go elsewhere. A client who makes a data complaint and finds you have no procedure in place is more likely to escalate to the ICO. And from 19 June 2026, not having a complaints procedure is a breach of the Data (Use and Access) Act 2025.

The ICO is unlikely to fine an individual therapist for not having a privacy policy unless there has been a serious breach or a sustained failure. But the reputational and client-relationship costs are harder to quantify.

Option 2: DIY — £0 to £50, several hours, ongoing maintenance

A therapist who is willing to invest time can produce reasonable compliance documents by adapting templates. The ICO's website, BACP's guidance, and various online resources provide a starting point.

The real cost here is time. Writing a compliant privacy policy from scratch — one that accurately reflects your specific tools, your professional body's retention requirements, and the current state of the law — takes several hours of research and writing. Keeping it up to date when the law changes (as it did with the DUAA 2025) takes more.

Most DIY efforts also do not produce all five required documents. A privacy policy alone is not sufficient.

Option 3: Pay a solicitor — £300 to £600, once (plus updates)

A solicitor or specialist compliance consultant can produce a complete, accurate set of documents. For therapists with complex practices — group practices, working with particularly vulnerable populations, multiple income streams — this is often the right choice.

The limitations are cost and currency. Documents produced in 2022 or 2023 do not reflect the DUAA 2025 changes. Updating them requires another engagement, often at similar cost.

Option 4: Use a specialist tool — £24 per year

The newest option is a specialist compliance tool built specifically for therapists. These tools scan your website, ask about your practice and professional body, and generate tailored documents.

The advantages over DIY are accuracy (the tool knows about AoR vs BACP retention periods, understands the DUAA 2025, generates all five required documents) and currency (documents can be regenerated when the law changes). The advantages over a solicitor are cost and accessibility.

The question to ask about any specialist tool is whether it is genuinely tailored to the therapy sector. A generic GDPR tool for small businesses will not understand the difference between BACP and AoR obligations, will not generate an Appropriate Policy Document, and will not reflect the DUAA 2025 complaints requirements.

The maths

A solicitor produces documents once for £400. They need updating every two to three years. Over a ten-year period, that is around £1,200 to £1,600.

A specialist tool costs £24 per year. Over ten years, that is £240 — and the documents are always current.

DIY costs nothing in money and a significant amount of time, and the documents are probably not complete or accurate.

What is your time worth?

There is one more calculation worth doing. If you spend four hours researching and writing a DIY privacy policy, and your client rate is £60 per hour, the opportunity cost is £240 — the same as ten years of a specialist tool.

Compliance does not have to be expensive. But it does need to be done.