GDPR in plain English: What UK practitioners actually need to do

rory@secure.clinic (Rory) — Thu, 14 May 2026 10:10:34 GMT

If you trained as a physio, a counsellor, a doctor or any other independent health professional, you did not sign up for a career in data law. Yet here we are — GDPR has been part of UK life since 2018, and the Information Commissioner's Office (ICO) expects every sole trader and small clinic to comply with it, just as much as a large hospital trust.

The good news is that for most independent practitioners, compliance is genuinely achievable. It does not require a lawyer or an IT department. What it requires is understanding what the law actually asks of you — and then putting a few practical things in place.

This guide cuts through the jargon and tells you exactly what you need to do.

First: Why GDPR matters specifically for health practitioners

Health data is not ordinary personal data. Under UK GDPR, it is classified as special category data — meaning it carries a higher level of risk and attracts stricter rules. The health records you hold on your clients (diagnoses, treatment notes, appointment history, even the fact that someone is a client at all) fall into this category.

That means the stakes of getting it wrong are higher than for, say, a marketing agency holding a list of email addresses. ICO fines for serious breaches can reach £17.5 million or 4% of global annual turnover — though for a small independent practice, enforcement in practice tends to focus on enforcement notices and reputational damage rather than headline fines.

More importantly: your clients trust you with information they would not share with most people in their lives. Demonstrating that you take that trust seriously is not just a legal obligation — it is good practice expected by your regulators.

The seven things you actually need to do

1. Have a lawful basis for processing data

Every time you collect and use personal data, you need a legal reason to do so. For health practitioners, the most relevant bases are:

Legitimate interests — for general business admin and communications
Contractual necessity — you need the data to deliver the service the client has engaged you for
Vital interests — in genuine emergencies
Explicit consent — where neither of the above applies

For clinical records specifically, you will also need to rely on one of the special category conditions, the most practical being "provision of health or social care" under Article 9(2)(h).

In practice: you do not need a separate consent form for every piece of clinical information you record. The treatment relationship itself provides the lawful basis. What you do need is to be clear and transparent with clients about what you collect and why — which brings us to point two.

2. Give clients a privacy notice

You are legally required to tell clients, at the point you collect their data, what you do with it. This is your privacy notice (sometimes called a privacy policy).

It does not need to be long or complicated, but it must cover:

Who you are and how to contact you
What data you collect
Why you collect it and the lawful basis
How long you keep it
Whether you share it with anyone (referrers, supervisors, third-party software providers, etc.)
Clients' rights (to access their data, request deletion, complain to the ICO)

You can provide this as a document clients sign at intake, as a page on your website, or both. The key is that it exists and that clients can actually find it.

3. Keep data secure

This is where many independent practitioners have a significant gap — and it is arguably the most important obligation.

UK GDPR requires you to implement "appropriate technical and organisational measures" to protect personal data. For health data, the bar is very high. Implementing this means:

Storing clinical records in a system with proper access controls and encryption — not in a shared Google Drive folder, not in unencrypted spreadsheets, not in a generic notes app
Using strong, unique passwords and enabling two-factor authentication on any system holding client data
Ensuring your devices are protected — password-locked, with up-to-date software
Having a process if something goes wrong — a data breach that risks harm to clients must be reported to the ICO within 72 hours

The simplest way to meet the technical security requirement is to use a clinical records system that has been built with these protections in place from the ground up. A purpose-built UK EHR handles encryption, access controls, automated backups, and firewall protection on your behalf — so you do not have to become a security expert to stay compliant.

Learn how Secure Clinic handles data security for independent practitioners →

4. Keep data only as long as you need it

You cannot hold onto client records indefinitely just because it feels safer. UK GDPR requires you to have a retention policy — a clear rule for how long you keep different types of data and what happens to it after that.

For health records, UK guidance (from professional bodies including the NHS, which many independent practitioners use as a reference point) generally recommends retaining adult records for a minimum of eight years after the last treatment. For children, keep records until the patient is 25 (or eight years after the last treatment if that is later).

After the retention period, records should be securely deleted or destroyed — not simply moved to an archive folder you never look at.

Document your retention policy, even if it is just a one-page internal note. If you were ever audited, being able to show that you have thought about this matters.

5. Know what to do if data is breached

A data breach is not just a hack. It includes:

Sending a client's notes to the wrong person
Losing a laptop or phone containing client information
Accidentally leaving records visible on screen in a shared space
A third-party system you use being compromised

Not every breach needs to be reported to the ICO — only those that are likely to result in a risk to individuals' rights and freedoms. But you need to be able to make that judgment, which means you need to know a breach has occurred in the first place.

Put a simple process in place: if anyone in your practice (including you) becomes aware of a potential breach, it gets written down, assessed, and — if required — reported to the ICO within 72 hours.

6. Manage your third-party suppliers carefully

Every third-party system or service that handles your client data on your behalf is a data processor — and UK GDPR requires you to have a written agreement with them (a Data Processing Agreement, or DPA) that sets out their obligations.

This applies to your clinical records software, your appointment booking system, your email provider if you send clinical correspondence through it, and any other tools in your workflow.

Reputable UK-based providers will have a DPA ready for you. Be cautious about tools — particularly free apps — that do not have this documentation available, or whose data may be processed or stored outside the UK without appropriate safeguards.

7. Register with the ICO (if you need to)

Most organisations that process personal data need to pay an annual data protection fee to the ICO — currently £40 per year for most small businesses and sole traders.

There are some exemptions (for example, if you process data solely for your own personal use, or for certain not-for-profit purposes), but the vast majority of independent health practitioners will need to register.

You can check and register at ico.org.uk. It takes about ten minutes and is one of the simplest compliance steps you can take.

The most common mistakes independent practitioners make

Using generic cloud storage for clinical records. Google Drive, Dropbox, and similar services are not designed for clinical data. They lack the audit trails, access controls, and UK-specific data residency guarantees that GDPR requires for special category health data.

Not having a privacy notice at all. If you do not have one, write one this week — there are ICO templates to help you.

Assuming consent covers everything. Consent is just one lawful basis, and for clinical records it is often not the most appropriate one. You also do not need to re-obtain consent every time you update notes from a session — the existing treatment relationship covers this.

Forgetting that supervision is a disclosure. If you discuss client cases in supervision (which you should), you are technically disclosing personal data. Your privacy notice should mention that you use supervision, even if you discuss cases anonymously.

Storing data with providers based outside the UK without checking the transfer rules. Post-Brexit, UK GDPR has its own rules around international data transfers. Using a provider that stores data in the US or EU without appropriate safeguards can put you in breach.

A note on being UK-based

One of the practical advantages of using a UK-based clinical records system is that it sidesteps many of the international transfer complications entirely. Your data stays in the UK, processed under UK law, with no need to navigate adequacy decisions or standard contractual clauses.

For independent practitioners who want to demonstrate compliance without becoming data law experts, keeping your entire records infrastructure within the UK is the cleanest possible approach.

Where to start if you're not sure where you stand

If GDPR compliance feels overwhelming, start here:

Register with the ICO if you have not already — ico.org.uk/registration
Write or update your privacy notice — the ICO has a free template tool
Audit where your client data actually lives — every system, every app, every spreadsheet
Replace any insecure storage with a purpose-built clinical records system that handles security on your behalf
Document your retention policy — a single internal document is sufficient
Tell your team (even if it is just you) what to do if a breach occurs

GDPR is not a one-time project. It is an ongoing part of running a responsible practice. But once the foundations are in place, maintaining compliance is much less burdensome than getting there in the first place.

Secure Clinic is a UK-based electronic health records system built specifically for independent health practitioners and small clinics. Your data is stored in the UK, never used for marketing or research, and the system is designed to make GDPR and CQC compliance straightforward — with no technical expertise required. Find out how we handle your security →

Secure Clinic Blog