Understanding GDPR -

A quick guide for Holistic Therapists.

The GDPR (General Data Protection Regulations) came into law in Europe on 25th May 2018. Any business based in the EU or who has clients or subscribers in the EU is bound by GDPR.

A lot of holistic therapists are still quite stressed and anxious about GDPR, but really don't need to be.The GDPR is about being open and clear about why you are requesting your clients information, what you will use if for and the steps you will take to make sure the information is secure. 

I hope you feel more confident already!

Here's a video I made in 2018, explaining the basics of GDPR.

If you prefer to read about GDPR, here's the details you need to be aware of:-

1. You need to be able to show you had the clients' permission to contact them about special offers etc
You automatically have permission to contact clients about appointments they make, to send reminders, directions etc. But you need to be able to show that your clients gave you explicit permission to contact them about your offers, availability, tips etc. 

2. You need separate consent to store information

For insurance purposes you have to keep consultation forms for 6 years. But for GDPR purposes you can't hold clients' information without their consent and you must be able to show that they were fully aware why you need to store the information.  

Adapting Your Consultation Form

My advice is to have two extra sections on your consultation form to show that your clients gave you consent to send them offers etc and to keep their consultation forms:-

"I am happy to receive occasional emails and texts about special offers, new treatments
and appointment availability. I understand that I can easily unsubscribe at any time. Please say if you'd like to be contacted by email, text or both"

"I consent to details of my medical and treatment records being kept safely and securely to meet current GDPR rules. (Please note I am unable to treat you if I can't keep your consultation form, this is required for insurance)"

At each section include a Yes and a No checkbox, and be sure your clients sign ;the consultation form.

3. You need a record when you get consent in other ways 

You can clearly show when you get a client's consent during a consultation, but sometimes you can get it by phone, email, text etc. It's a good idea to keep a record of how you get consent. This could be a simple table with the client's names, how consent was obtained and the date. I suggest keeping emails in a folder marked GDPR, and screenshoting texts and putting them is a Drive or in Dropbox folder.

4. Clients have a right to easily unsubscribe from a mailing list

You must always give your clients an easy way to unsubscribe from your mailing list.
So when you send texts to groups of clients always include "Text stop to opt out"
If you send newsletters to clients always use a newsletter software which give clients an option to unsubscribe with a click. Mailchimp and Mailerlite are good free options.

4. You need to store clients information securely

You must show that you have taken all reasonable steps to protect your clients'
information, whether it is consultation forms or contact details.

Consultation forms can be physically stored in a locked press where on one but you has
access.

If you have clients' information or contact data on a phone, computer or other device,
the device must be password protected. You must also take reasonable care that the
device is not lost or stolen.

5. Report any breaches in security

If you think, or know, that someone has gained access to your clients' information for instance if your phone with contact details is lost or stolen, this must be reported to the Data Commissioner.

But even if this happens, once you have taken reasonable precautions, there will be no repercussions. 

6. Don't keep information longer than necessary

Once a client unsubscribes from a mailing list, delete their contact information from
wherever you have it stored.

Consultation forms, however, do need to be kept for up to 6 years, even if the client is no longer receiving marketing information from you.

7. Don't ask for information you don't need

Only request information that you need for the purpose you requested consent. For instance asking for someone's postal address when they sign up for a newsletter is not necessary.

8. Clients have a right to access information you hold about them

Under GDPR clients have a right to see any information you have about them and to
have any relevant information updated and irrelevant information deleted. Information on consultation forms will not need to be updated as the information was correct at the time of the consultation.

9. Privacy Policy

If you are collecting clients contact details on your website, you will need a link to
your privacy policy on each page on your website, a good place is in your website footer.

To sum up

OK so this was a lot of information, and I know I love a recap when I'm learning something new, so here goes:-

Disclaimer

I am a holistic therapist and I have done extra training and research into GDPR but I don't have legal training. As far as I'm aware the information in this post is accurate. I hope you find it clear, helpful and that it clears up any questions you have,

Jenny x