GDPR may have come into effect on 25 May 2018 but many clinicians are still unsure as to how compliant they really are. The lead-up to GDPR was stressful for many, but therapists and counsellors faced unique challenges to ensure compliance.
Since leaving the EU, the UK operates according to UK GDPR, but this is not materially different to the previous EU version.
Now that the dust has settled, we can see a clearer picture of how therapists can navigate GDPR to the benefit of themselves and their clients.
GDPR: What you need to know
Before we get into the nitty-gritty of GDPR compliance, it’s a good time for a short refresher on what GDPR is, and why it’s important.
GDPR (general data protection regulation) was designed to give people more rights over how their data is gathered, stored and used. It applies to any form of personal data, however, you store or use it.
Personal data is any information that relates to a specific person, ranging from names and addresses to your therapy notes.
The basic premise of GDPR is that individuals have the right to control their own data.
They are entitled to:
- Know what information you are holding about them
- Access any personal data you have
- Request that you correct any errors or even delete all information you are currently holding
How to navigate GDPR and ensure you’re compliant
Communicating with clients
One of the most basic steps you can take to ensure that you are GDPR compliant is to make sure you communicate fully with clients. Clients need to be made aware of their rights under GDPR and they should give their consent for the use of their data.
It can be helpful to make certain that your GDPR compliance policies are included in your written contract as well as discussing it verbally with clients. Clarifying that clients know the steps you are taking to protect their data isn’t just about fulfilling your statutory duty. It can also help set their minds at ease and build trust for the therapy to come.
GDPR requires that you restrict your data collection to information that you actually need in order to carry out therapy. You shouldn’t be holding any information that you don’t have a reason to hold.
Think about all stages of data collection and make sure that you need the information you gather at each stage. Information that is relevant for an existing client might not be appropriate to hold about someone who only signs up for your newsletter or enquires about your services.
GDPR requires that you take measures to protect the data you store, whether from accidental loss or theft. As therapists, you’re undoubtedly already aware of the potentially devastating impact on your clients (not to mention your practice) if identifying information or, worse, session notes were made public.
Do a thorough audit of the information you hold and how it can be accessed. Often, making data secure will involve some inconvenience for you. It might be a hassle to keep paper notes in a locked, fireproof safe, but the risks of keeping them on your dining table at home don’t bear thinking about. The same is true of electronic security.
Assess your data in terms of vulnerability; to theft and loss/destruction. We worry about data getting into the wrong hands, but the loss of data can be almost as problematic. Consider keeping paper copies of session notes stored securely as well as electronic versions.
Important steps to take include:
- Use fully randomised passwords. Consider using a password manager.
- Keep session notes anonymous. Use reference numbers rather than names or initials. Keep a separate reference to match clients with their records, even after a long period of time.
- Create a policy for how long you keep emails. Having someone’s email address is considered personal data.
How long to keep data
GDPR is intentionally vague about how long you are permitted to keep data. It was designed to incentivise us to think about how we use data, rather than to set strict limitations.
Most therapists will find that their governing body or insurer will set minimum limits on how long they need to keep records for, typically between 7 and 10 years. This provides documentary evidence to protect you if a client sues.
Although this is technically the minimum amount of time you need to keep your records, it’s also probably the most that you can justify under GDPR unless there are specific reasons why they are needed for longer. Remember that “just in case I need it” isn’t considered an acceptable reason for keeping data under GDPR.
GDPR hasn’t always worked exactly as intended, but it does provide our clients with a high degree of protection
You can minimise the impact of GDPR compliance on your work by teaming up with Augmentive.
Augmentive is a streamlined service helping to match you with great clients whilst removing most of the administrative burden. If you’d like to devote less time to paperwork and have more energy for helping your clients, contact us now.