GDPR: Thoughts on Implications for Practice

By  Peter Jenkins

Therapist and client having a discussion

Record keeping on therapeutic work by counsellors, psychotherapists and counselling psychologists (herein referred to as therapists) is undergoing change with effect from 25th May 2018, under the terms of the General Data Protection Regulation (GDPR).

While this standardising of data protection law originates from the European Community, it will, unusually in present circumstances, remain Brexit-proof. It represents an updating, or ‘housekeeping’ approach, rather than root-and-branch wholesale reform of data protection. However, there are some significant tweaks, which will need to be borne in mind by practitioners and agencies (Jenkins, 2018).

Data protection has been governed in the United Kingdom by the Data Protection Act (DPA) 1998, and in Ireland by the similar 2003 Act. While the GDPR sets out the broad guidelines and requirements to be followed, the current UK Data Protection Bill will make further changes. These will largely apply to specialist fields, such as law enforcement and national security, although the final format of the Bill, as the Data Protection Act 2018, cannot be known precisely at this stage.


Changes from DPA 1998: 

Key definitions remain largely unaltered under the GDPR. Hence, a ‘data controller’ “says how and why personal data and the [data: PJ] processor acts on the controller’s behalf” (ICO, 2017: 3).  Personal data includes all information about an identifiable living individual, with the definition now slightly expanded to include more recent potential identifiers, such as a PC or laptop IP address, or biometric data, such as eye or face recognition data. The formal legal basis for processing personal data remain largely unchanged, but the key change does relate to the legal basis likely to be used by most therapists and agencies for such processing and recording, namely that of consent. The major change here from the DPA 1998 is to raise the threshold for processing clients’ personal data from that of ‘consent’, to the higher standard of ‘explicit consent’, namely “a freely given, specific, informed and unambiguous indication of the person’s wishes” (ICO, 2017: 10). Explicit consent was previously only required for processing client personal data in specific sensitive areas, such as their mental, physical or sexual health, but is now generalised to become to the new standard applicable to any such processing. What was previously termed ‘sensitive personal data’, such as ethnicity, mental, physical or sexual health, is now categorised in terms of ‘special categories of personal data’. The Information Commissioner’s Office (ICO) does caution about automatically assuming the need to ‘repaper’ or refresh all existing DPA client consent forms, in order to comply with this higher standard of explicit consent. However, it does require evidence that the higher standard is in operation from May 2018, so one option would clearly be to update existing client consent forms, in order to ensure compliance with best practice regarding the GDPR.

One of the major changes introduced by the previous DPA 1998 was to extend data governance from computer files to manual, or handwritten, files. This became an increasingly complex field in terms of data protection law, dependent upon the status of records as health, education or social work files, or their compliance with ‘relevant filing systems’, following the court judgment in the Durant case of 2003. While the exact implications for data governance of manual records are unclear, it seems likely that the GDPR will embrace wider sets of manual records then before. This could include manual records held in filing systems, which are organized simply in chronological order, rather than meeting the higher threshold of constituting part of a more sophisticated ‘relevant filing system’.  Chronologically ordered manual records would therefore be likely to include a basic client record system of handwritten notes kept by a therapist for client work, on a sequentially dated weekly or monthly basis.

Changes regarding client access:

Other major changes signaled by the GDPR include the easing of client (‘data subject’) access to electronic and manual files, normally within one month of making the request, with the removal of the standard £10 charge to the client for accessing their personal data. Clients will enjoy greater rights for compensation for damage or distress caused by inaccurate recording – the courts have been moving independently in this direction in any case, since a recent Appeal Court judgment against Google in 2015. Issues of client access to records and resulting potential damage or distress call into question the format and content of therapeutic recording. This is often learned on training placement and then adapted to personal or agency preference, rather than being based on more of a standardised model, as is common in other professions, such as medicine, nursing and social work. Research suggests that the DPA 1998 brought about a significant shift in therapeutic recording, towards briefer, more factual recording, with much less reliance on subjective process recording by the therapist (Jenkins and Potter, 2007). Jenkins suggests a flexible template for therapy recording, which could be adapted to suit a range of needs and contexts (Jenkins, 2017).

Much of the recent GDPR publicity has tended to highlight provision for a higher level of fines and penalties for non-compliance or breach of data protection law, which can rise to 4% of global turnover in the case of larger companies. However, in practice, the ICO tends to take much more of an educative, rather than a punitive, role in encouraging data protection compliance, making it clear that it does not benefit financially from fines levied as a source of income.

Implications for practice: Fees:

Somewhat curiously, individuals and agencies are no longer required to register with, or ‘notify’ the ICO regarding their data processing activities. However, they are still required to pay a fee for data processing, under s.108, of the Digital Economy Act 2017. There will be a simple self-assessment guide to whether or not a fee is required via the ICO website, broadly similar to the previous one for eligibility for registering with the ICO ( Existing ICO fees will carry over until the new fee system becomes operational. As opposed to the existing dual flat rate for notification under the DPA 1998 of £35 for individuals or small employers, and £500 for agencies with 250 or more staff, there will be a new, tiered system of fees. With effect from 2018, Tier 1 fees will increase to £40, Tier 2 to £60 and Tier 3 to £2,900

Fee Structure under GDPR from May 2018



Fee payable**

Tier 1: Micro 


(includes charities)

Maximum annual turnover £632K, or maximum of 10 staff.


Tier 2: 



Maximum annual turnover £36 million, or maximum of  250 staff.


Tier 3: 



Criteria for Tier 1 and 2 not met


* * Public authorities assessed on staff numbers only, not turnover.

* £5 reduction for Direct Debit

Fee Structure for Data Processing under GDPR (Adapted from: ICO, 2018).


Clarifying data processing roles and responsibilities:

Therapists and therapeutic agencies need to be clear about their roles and responsibilities in relation to data protection. Singleton practitioners, in the main, will be data controllers, i.e. in deciding on the format and content of their own record-keeping activities. Therapists who are employed by therapeutic agencies, or working under contract, will largely be data processors, following set procedures for their electronic or manual recording activities. At a third level of activity, public authorities, such as NHS Trusts and universities, for example, may be required to appoint a Data Protection Officer, if one is not already in position, responsible for monitoring overall compliance with data protection

The GDPR also widens the net for accountability and legal liability. There is a new ‘accountability principle’ to add to the slightly revised data protection principles (see Box: General Data Protection Regulation: Revised data processing principles). This requires data controllers to show how they comply with these principles, e.g. via the use of privacy impact statements, by detailing what data is kept in clients, how it is processed, and by clarifying limits to confidentiality, time limits for destruction, and provision for complaint, redress and compensation.  As mentioned, public authorities will be required to appoint data protection officers, if not already in post. Organisations will be required to inform the relevant supervisory authority of data breaches within 72 hours, and in some cases, to inform those subjects affected by the data breach, e.g. in the case of a loss of client confidentiality via electronic hacking, or loss of client records. Data controllers and processors are required to maintain records of their data processing activities, and, in a significant new development, data processors now carry potential legal liability for any data processing breach.

Box: General Data Protection Regulation: Revised data processing principles:

Personal data is to be:

1. processed lawfully, fairly and in a transparent manner;

2. collected for specified, explicit and legitimate purposes;

3. accurate and, where necessary, kept up to date;

4. kept in identifiable form no longer than is necessary for data processing purposes;

5. processed with appropriate security of the personal data;

● with the data controller holding responsibility for compliance with these principles.

(Adapted from ICO, 2017: 7).


The GDPR largely represents a tweaking of existing data protection law, but with some significant new changes regarding accountability and liability, and with a potential widening of grounds for clients to claim compensation. There is an emphasis on demonstrating compliance with data protection requirements, as in documenting explicit client consent for data processing, and in producing privacy impact statements. An outline checklist for key tasks and activities is provided below:


Checklist re implications for practice:

● Use online ICO self-assessment to check if required to pay a fee for data processing;

● Pay appropriate ICO fee, as and when required;

● Identify applicable roles as data controller /data processor;

– Develop standard privacy impact notices for use with clients;

– Ensure recording of explicit client consent for data processing activities;

– Develop clear and transparent policies and procedures re data protection;

– Clarify time limits for record keeping, and for secure destruction of records;

– Update digital security via encryption and avoiding use of personal laptops, or mobile phones for data processing;

– Maintain own and agency CPD, training and updating re data protection.


● Information Commissioner’s Office (ICO) (2017) Overview of the General Data Protection Regulation (GDPR). Wilmslow:  ICO.

● Information Commissioner’s Office (ICO) (2018) The Data Protection Fee: A Guide for Controllers. Wilmslow: ICO.

● Jenkins, P. and Potter, S. (2007) “No more ‘personal notes?’ Data protection policy and guidance in Higher Education counselling services in the UK”, British Journal of Guidance and Counselling, 35(1), pp. 131-146.

● Jenkins, P. (2017) Professional Practice in Counselling and Psychotherapy: Ethics and the Law. London: Sage.

● Jenkins, P. (2018) “An upgrade for data privacy?” Counselling at Work, 95, pp. 22-27.

Peter Jenkins

About the Author

Peter Jenkins

Peter Jenkins is a counsellor, supervisor, trainer and researcher. He has published a number of books on legal aspects of therapy, including Professional Practice in Counselling and Psychotherapy: Ethics and the Law (Sage, 2017). He can be contacted at