GDPR in Private Practice

Even two years on GDPR is still a minefield. What is the role of GDPR in private practice? I see lots of questions still being asked in Facebook groups and forums. I am certainly not claiming to be an expert in GDPR however I have worked with lots of therapists and have seen how they navigate this area within their practice.

I’d like to talk you though the role of GDPR in private practice. In addition I want to inform you on best practice when working with a VA in relation to GDPR. That way you will feel confident in outsourcing and sticking to GDPR guidelines.

So what is GDPR?

The GDPR’s primary aim is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The GDPR was adopted on 14 April 2016 and became enforceable beginning 25 May 2018.

According to the European Commission, “Personal data is information that relates to an identified or identifiable individual. If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual.”*

* Sourced from Wikipedia

What does this mean for you?

As therapists you will be collecting a lot of personal data on your clients. Their full name, email address, home address, telephone number, NOK details, GP details. Having their name along with any other piece of the above information can make a person identifiable. It will therefore need to be stored and handled under GDPR regulations. 

If you are in the UK you need to be a member of the ICO. You can take a self-assessment and the standard fee is £40.00 per year. 

You should have a GDPR privacy statement which is available to your clients as part of your onboarding process so that you can obtain their consent. It should also be available on your website or something that they can request to see. Within that statement you should set out what personal data you will collect, why you collect it and how you store and process it as a data controller.  

You should list out the client’s rights in regard to their data. Who will have access to their data. What will happen if there is a data breach and the security measures you will take to safeguard the information you collect.

There is a lot of information on the ICO Website but this can be very overwhelming. You can purchase GDPR paperwork from Tamara Howell, Private Practice Paperwork specifically for private practice if you want a framework to work to.

GDPR warning to read before sending

Ways to assist with GDPR when working with a VA

If you choose to work with a VA they will mostly likely have access to your client’s personal data. There are ways of safeguarding your client’s personal information and also mitigating data breaches.

Advise Clients Upfront

It is important to advise clients up front who will have access to their personal data. Even if you do not have a VA at the time of writing your GDPR statement. Using ‘we’ instead of ‘I’, ‘us’ instead of ‘me’ on your paperwork will cover you if you do take somebody on later down the line.


Having Standard Operating Procedures is very important when working with a VA. Outlining exactly how to complete tasks where personal data is involved such as client updates or invoicing will reduce the mistakes and instil confidence. It will also reduce the number of questions and training time but that’s just and added bonus! 

Use Templates

Create Gmail templates for your VA to use when they first start out so that they sound how you want them to sound but also so they can just insert the appropriate names or details. Having these templates will mean that the VA doesn’t need to think about what to say for each email but just concentrate on getting the right personal information correct.

You can check out my blog on Google Workspace for Private Practice which will also give you some more great tips and tricks on using this system.

Use a Shared Drive

Whether that’s google drive or another drive that can be shared this is the best practice when working with a VA. If you update data they will have access to the most up to date version at all times. You can also limit the access they have based on what they need. And you can remove access at any time.


Only share passwords using a safe method like LastPass. I recommend this as its free to use and share passwords. With this tool you can easily and safely share the password you want with the VA. If needed you can remove access and stop sharing or change the password and not update the share.

Use EHR System

Using an Electronic Health Record or Online Booking system will reduce the amount of manual emails being sent to clients. Manually creating Zoom meetings and sending them to clients you can easily type in the wrong email address and send the information to the wrong client. This is the same with manual invoices. In addition, if someone else is paying for the client’s treatment you may have to remember who to send the invoice to or have spreadsheets with the information.

By using an online system everything is set up and automated. The system I always recommend is Power Diary. You can automate the booking confirmation and reminder emails so they will NEVER be sent to the wrong person. The have their own telehealth system which has individual keys for each client so there’s no manual set up of online appointments. The invoicing is also automated so you can select up front who the invoice will be sent to. Even if it’s not the client. Finally you can set the security level for each “user” you have so they will only see what you want them to see. If you would like help getting set up on Power Diary please get in contact with me and we can arrange a discovery call to discuss.

What to do if there’s a breach

If you do have a breach visit the ICO website right away. There is a 72-hour rule in which you will need to report the breach by. You can take a self-assessment and that will determine whether you need to report it to them or not. If you need to report it or want more advice call them on 0303 123 1113. They will ask you the following questions:

  • what has happened
  • when and how you found out about the breach
  • the people that have been or may be affected by the breach
  • what you are doing as a result of the breach
  • who we should contact if we need more information
  • who else you have told

They will be able to give you lots of advice and advise you on the next steps.

Don’t rush to tell clients until you know the full details and have spoken to the ICO.

Final Thoughts

We covered quite a lot in this blog. What GDPR is. How it affects you in Private Practice. Best practices to work with a VA and what to do if there is a breach. The ICO will always be the best place to go for any questions you may have with regards to GDPR. There is lots of information on their website but you can call them with questions you may have.

There are lots of ways you can safeguard yourself and your clients which I have outlined. If you would like to get your practice online and on an online booking system you can contact me for assistance with this. Thinking about working with a VA? Please also get in touch. If you’re not following the Virtually Irreplaceable Facebook Page please take a look at this and give us a like as there is lots of valuable information and admin tips and tricks.