How UK therapists really handle GDPR compliance

If you asked a roomful of UK therapists in private practice how they handle GDPR, you would get roughly five different answers. Here they are — honestly assessed.

1. Ignore it

A significant number of therapists in private practice simply do not have a privacy policy. Some are aware of this and feel vaguely guilty about it. Others genuinely do not realise it is required.

The reasoning, when articulated, usually runs something like: I am a sole practitioner, I see a small number of clients, I am not a big company. The ICO goes after big organisations.

This is partly true. The ICO does prioritise larger data breaches and systematic failures. But the obligation exists regardless of the size of your practice, and a single client complaint can trigger scrutiny. More practically, an increasing number of clients — particularly those who have done their own research — will ask to see your privacy policy before booking. If you do not have one, some will go elsewhere.

2. DIY it

Many therapists write their own privacy policy by adapting a template they found online. This is genuinely better than nothing, and some DIY policies are quite good. The problems tend to be:

Generic language. A template policy talks about "the data we collect" in vague terms. A good policy names your specific tools — Calendly, Zoom, Google Analytics — and explains exactly what data each one processes.

Wrong professional body. Retention periods differ between bodies. BACP and NCPS members should retain adult records for six years. UKCP and BABCP members for seven. AoR members for seven, under a different lawful basis. A generic template will not reflect this.

Missing documents. Most DIY efforts produce a privacy policy. Few produce a cookie policy, data retention policy, GDPR statement, and Appropriate Policy Document as well.

Goes stale. The DUAA 2025 changed the rules on cookies and introduced a mandatory complaints procedure from June 2026. Most DIY policies have not been updated.

3. Wing it

A variant of ignoring it — the therapist has a privacy policy, probably a generic one, possibly downloaded from their professional body's website, and has not thought about it since. They would struggle to explain what lawful basis they rely on, what their retention periods are, or what they would do if a client submitted a subject access request.

This is probably the most common position. There is a policy. It is not accurate. Nobody has noticed yet.

4. Pay a solicitor

Some therapists pay a solicitor or specialist consultant to produce their compliance documents. This is the most thorough option and, for complex practices or those working with particularly sensitive populations, the right one.

The downsides are cost (typically £300-600 for a set of documents) and the fact that the documents need updating when your practice changes or when the law changes. Many therapists who have paid for solicitor-drafted documents have not had them updated since the DUAA 2025.

5. Use a specialist tool

A relatively new category. Tools designed specifically for the therapy sector can scan your website, ask about your practice, and generate compliant documents tailored to your professional body. The best of them keep documents updated when the law changes and include all five required documents rather than just a privacy policy.

The obvious risk is quality — a tool is only as good as the compliance knowledge built into it. It is worth checking whether the tool covers your specific professional body, understands the difference between BACP and AoR obligations, and generates the Appropriate Policy Document that the DPA 2018 requires.

Which approach is right for you?

For most therapists in private practice seeing individual clients, a specialist tool is the most practical option. It is significantly cheaper than a solicitor, significantly more accurate than a template, and significantly more complete than a DIY effort.

Where a solicitor is worth the cost: if you work with particularly vulnerable populations, have complex employment relationships, run a group practice, or have had a previous data complaint.

Where ignoring or winging it is not worth the risk: a data complaint, a subject access request you cannot respond to, or a prospective client who asks for your privacy policy and finds nothing.