GDPR Checklist for Holistic Therapists

​GDPR ​Checklist for Holistic Therapists.

The GDPR (General Data Protection Regulations) comes into law on 25th May 2018.

​A lot of holistic therapists are very stressed and anxious about it, but probably don't need to be.The GDPR is about being open and clear about why you are requesting your clients information, what you will use if for and the steps you will take to make sure ​the information is secure. 



1. Showing consent
You need to be able to show that the clients gave you permission to keep information about them and that they were fully aware what you would use the information for.  â€‹

You should get explicit consent both to keep ​consultation forms and to contact ​your
clients regarding promotions and offers.

2. Adapting the Consultation Form

My advice is to have an extra page on the consultation form with the following sections:-

"I consent to details of my medical and treatment records being kept safely and securely to meet current GDPR rules."
(Please note I am unable to treat you without your consent.)

"I am happy to receive occasional emails and texts about special offers, new treatments
and appointment availability. I understand that I can easily unsubscribe at any time."
(Cross off either email or text if they prefer to be contacted in just one way)

At each section include a Yes and a No checkbox. At the end of the page have a space for the clients' and your own signature.

3. Secure Storage

You must show that you have taken all reasonable steps to protect your clients'
information, whether it is the consultation forms or contact details.

Consultation forms can be physically stored in a locked press where on one but you has

If you have clients' information or contact data on a phone, computer or other device,
the device must be password protected. You must also take reasonable care that the
device is not lost or stolen.

4. Getting Consent in Other Ways

If you send newsletters and use a newsletter provider like Mailchimp, your dashboard
will include information about whether the client signed up themselves or if you added
their details.

Your clients might agree to be included in your mailing list ​in a text, email etc. in these cases, it is a good idea to keep a log of how you got consent. This could be a simple table with the client's names, how consent was obtained and date. I suggest keeping emails in a folder marked GDPR, and screenshoting texts and putting them is a Drive folder or in Dropbox.

5. Breaches in Security

If you think, or know, that someone has gained access to your clients' information for instance if your phone with contact details is lost or stolen, this must be reported to the Data Commissioner.

On​ce the information has been stored securely, this should not be a serious issue.

6. Clients' right to unsubscribe from a mailing list​

You must always give your clients an easy way to unsubscribe from your mailing list.
So when you send texts to groups of clients always include "Text stop to opt out"
If you send newsletters to clients always use a newsletter software such as Mailchimp.
This software will give clients an option to unsubscribe with a click.

7. Don't Keep Information Longer Than Necessar​y

Once a client unsubscribes from a mailing list, delete their contact information from
wherever you have it stored.

Consultation forms, however, do need to be kept for up to 6 years, even if the client is no longer receiving marketing information from you.

8. Don't ​Ask For ​Information You Don't Need

Only request information that you need ​for the purpose you requested co nsent. For instance asking for someone's postal address when they sign up for a newsletter is
not necessary.

9. Clients' right to access information you hold about them

Under GDPR clients have a right to see any information you have about them and to
have any relevant information updated or deleted. Information on consultation forms will not need to be updated as the information was correct at the time of the consultation.

​1​0. Privacy Policy

​If you are collecting clients contact details on your website, you will need a link to
Privacy Policy. A good place to have it is in your website footer.

​If you send promotional text or emails to clients do you need to ask them to confirm their subscription?

The simple answer is that if you are already GDPR compliant you do not need to ask
for consent again. You are GDPR compliant if:-

  • check
    Your subscribers signed up to get your newsletters/special offers through your website. However, if they have to sign up in order to get a free gift like an eBook or checklist it is considered "forced consent"
  • check
    Clients opted in through your consultation form. They must have ticked a Yes box. The old way of assuming consent if they don't click a "No" box is no longer allowed. ​
  • check
    If they signed up for your newsletter through ​social media, email or text (Remember to keep a log as in 4 â€‹above)
  • check
    If it was clearly stated what they would receive e.g. your newsletter with special
    offers, news, and health tips.

If you are unsure about some of your subscribers, you could send off a newsletter or a
text (whatever way you normally contact them), and ask if they would still like to hear
from you. ​Give the advantages of being on your mailing list e.g. special offers, health tips etc.


I am a holistic therapist and I have some extra training and research into GDPR.
The information here, as far as I am aware, is accurate. I don't have legal training and you need to be aware that, as the regulations are new, there are areas which are unconfirmed as yet. I hope you find the guide useful and easy to follow,

Jenny x

​No Time to Read This?

​Download ​a h​andy pdf.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}