GDPR Facts and Myths

I know I am unusual but rather than groan when I see “GDPR” I find it rather exciting! I see the principles of the General Data Protection Regulation (GDPR) as extending further the principles of collaborative working with our clients. It leaves us, as professionals, less lee-way to decide unilaterally, “I’m the professional and I will decide what is right” regarding data, records, reports and so on.

The Information Commission Office (ICO) provides lots of guidance as well as being helpful when contacted directly. Do remember that the ICO and GDPR is NOT driven by sanctions but rather, a drive to protect individual privacy.


1. The GDPR simply extends some of the principles of the Data Protection Act.
2. You are responsible for informing your client of your privacy policy and agreeing it with them.
3. Your responsibility under the new act is to keep your client’s personal information safe and secure, but only to keep this information (data) for as long as it is pertinent (legitimate use) and useful (to the client, not you).
4. You need to take reasonable steps to keep your client’s data secure – which you should have been doing anyway.
5. You have to consider your client’s wishes regarding how you keep their information (data) and whether they want access to it, have it altered and when it will be deleted.
6. This is new legislation so there is no case law yet: no definite answers, simply wait and see!

None of these should come as a surprise and most of these practices you have probably been doing anyway, especially if in independent practice.


1. Cannot use my ‘ordinary’ email any more
2. Cannot use Skype (or other such programme)
3. Must use special programme to keep/store notes
4. Cannot use a laptop or iPad for patient notes/records/reports
5. Cannot use paper records any more
6. If I only keep paper records I am exempt from all this GDPR nonsense!

All of these myths are based on the misunderstanding that the GDPR is imposing harsh restrictions on professionals. It is not. GDPR is mainly aimed at big companies sharing our information (data) with other big companies in order to sell us something. However, it is ensuring we are more careful with our clients’ personal data (whether electronic or paper based) than ever before. so….

You can use your email but anything containing a client’s personal data should be moved to a more secure, password protected and encrypted part of your computer or secure cloud storage. If you are sending details about your client to someone else then follow the advice below on letters and reports.

You should delete emails as they come in (or store them in your secure client record) rather than leave them in your inbox for months/years after they are needed.

You can use Skype or other videoconferencing services but only after you have discussed the videoconferencing privacy difficulties with your client and both agreed to proceed. Skype and FaceTime, for example, automatically leave a record of the call on your and your client’s computer which might then be seen by someone else. They can delete this record but they have to remember to do so! A programme such as Zoom leaves no record and this is why it is preferred by many therapists. All of these programmes are encrypted so the privacy of your online session should not be a problem to worry about.

Your responsibility is to keep your notes, records, reports and any other form of information about your clients safe. It is your choice as to how you do this. You need to safeguard this information (data) whether that means locking papers in a filing cabinet or keeping your data on an encrypted drive accessed with a password or fingerprint.

Advice on sending letters and reports about clients: send the report/letter in an attached file that requires a password to open. Send the password using a different medium or simply telephone and speak to a real live person! If sending paper reports use registered post in an attempt to prevent delivery to the wrong address (just like emails).

Remember most data breaches are because papers or mobile devices are left on a train!


Acting as an expert witness: your client is the court/instructing solicitor, not the person you are assessing so this changes things. However, you should still be transparent towards those you are assessing regarding storage of data, what you are doing and why. It is best practice to have the person being assessed consent to the assessment AND you sending the report to those who have instructed you. In my view this has not changed from existing best practice. I would obtain signed consent before the assessment begins. I will write more on this soon.