GDPR Checklist for Holistic Therapists.
The GDPR (General Data Protection Regulations) comes into law on 25th May 2018.
A lot of holistic therapists are very stressed and anxious about it, but probably don't need to be.The GDPR is about being open and clear about why you are requesting your clients information, what you will use if for and the steps you will take to make sure the information is secure.
1. Showing consent
You need to be able to show that the clients gave you permission to keep information about them and that they were fully aware what you would use the information for.
You should get explicit consent both to keep consultation forms and to contact your
clients regarding promotions and offers.
2. Adapting the Consultation Form
My advice is to have an extra page on the consultation form with the following sections:-
"I consent to details of my medical and treatment records being kept safely and securely to meet current GDPR rules."
(Please note I am unable to treat you without your consent.)
"I am happy to receive occasional emails and texts about special offers, new treatments
and appointment availability. I understand that I can easily unsubscribe at any time."
(Cross off either email or text if they prefer to be contacted in just one way)
At each section include a Yes and a No checkbox. At the end of the page have a space for the clients' and your own signature.
3. Secure Storage
You must show that you have taken all reasonable steps to protect your clients'
information, whether it is the consultation forms or contact details.
Consultation forms can be physically stored in a locked press where on one but you has
If you have clients' information or contact data on a phone, computer or other device,
the device must be password protected. You must also take reasonable care that the
device is not lost or stolen.
4. Getting Consent in Other Ways
If you send newsletters and use a newsletter provider like Mailchimp, your dashboard
will include information about whether the client signed up themselves or if you added
Your clients might agree to be included in your mailing list in a text, email etc. in these cases, it is a good idea to keep a log of how you got consent. This could be a simple table with the client's names, how consent was obtained and date. I suggest keeping emails in a folder marked GDPR, and screenshoting texts and putting them is a Drive folder or in Dropbox.
5. Breaches in Security
If you think, or know, that someone has gained access to your clients' information for instance if your phone with contact details is lost or stolen, this must be reported to the Data Commissioner.
Once the information has been stored securely, this should not be a serious issue.
6. Clients' right to unsubscribe from a mailing list
You must always give your clients an easy way to unsubscribe from your mailing list.
So when you send texts to groups of clients always include "Text stop to opt out"
If you send newsletters to clients always use a newsletter software such as Mailchimp.
This software will give clients an option to unsubscribe with a click.
7. Don't Keep Information Longer Than Necessary
Once a client unsubscribes from a mailing list, delete their contact information from
wherever you have it stored.
Consultation forms, however, do need to be kept for up to 6 years, even if the client is no longer receiving marketing information from you.
8. Don't Ask For Information You Don't Need
Only request information that you need for the purpose you requested co
nsent. For instance asking for someone's postal address when they sign up for a newsletter is
9. Clients' right to access information you hold about them
Under GDPR clients have a right to see any information you have about them and to
have any relevant information updated or deleted. Information on consultation forms will not need to be updated as the information was correct at the time of the consultation.
If you are collecting clients contact details on your website, you will need a link to
If you send promotional text or emails to clients do you need to ask them to confirm their subscription?
The simple answer is that if you are already GDPR compliant you do not need to ask
for consent again. You are GDPR compliant if:-
If you are unsure about some of your subscribers, you could send off a newsletter or a
text (whatever way you normally contact them), and ask if they would still like to hear
from you. Give the advantages of being on your mailing list e.g. special offers, health tips etc.
I am a holistic therapist and I have some extra training and research into GDPR.
The information here, as far as I am aware, is accurate. I don't have legal training and you need to be aware that, as the regulations are new, there are areas which are unconfirmed as yet. I hope you find the guide useful and easy to follow,