Your Guide to GDPR Compliance for UK Therapy Websites

Counsellor's desk with laptop and locked filing cabinet, representing GDPR compliance for therapists

Table of Contents

If you practise privately in the UK, GDPR compliance is part of the job, as much a fixture as insurance or supervision. The short version for therapists: you’re a data controller, you almost certainly owe the ICO a small annual fee, your session notes count as special category data, and your website needs a privacy policy that describes what you actually do. The longer version is below, because the details decide whether any of it holds up.

One signpost before we start. This guide covers UK law — UK GDPR and the Data Protection Act 2018. If you practise in the US, your rulebook looks different: start with our HIPAA guide for therapy websites and our overview of US privacy laws for online therapy instead.

What UK GDPR Actually Asks of a Private Practice

UK GDPR asks therapists in private practice to collect only the client data they need, keep it secure, explain how it’s used, choose a lawful basis for processing it, and honour clients’ rights to see, correct or erase it. Most practitioners must also pay the ICO’s annual data protection fee.

That’s the whole regulation in one paragraph. Everything else is detail about how those duties land on a counselling practice.

Here’s the shift that catches people out. If you trained or worked in the NHS, data protection was someone else’s problem: the trust had a data protection officer, policies arrived by email, and you followed them. In private practice, you’re the controller. You decide what gets collected, where it lives and how long it stays, and nobody signs that off for you.

Your professional body helps more than you might expect. BACP, UKCP and HCPC all publish data protection guidance for registrants, written for exactly this situation: one practitioner, no IT department, a laptop and a filing cabinet.

Do You Need to Register with the ICO? Almost Certainly, Yes

If you process client data electronically as part of your practice (and a website contact form counts), you’re likely required to pay the ICO’s data protection fee. Solo practitioners usually sit in the lowest tier: £40 a year at the time of writing, £35 by direct debit. The ICO’s fee tiers do change, so run its online self-assessment rather than taking any blog’s word for it.

Our opinion, plainly: if you’re unsure, register. The fee costs less than a single session, the self-assessment takes about five minutes, and we see the gap constantly in client audits — a live contact form collecting enquiries, no ICO registration behind it.

There’s no drama needed here. It’s a form and a small fee. Do it once, renew annually, move on.

Why Your Session Notes Are Special Category Data

Under UK GDPR, health data gets a higher tier of protection, and therapy notes are health data. Names and email addresses are ordinary personal data. Anything touching a client’s mental health falls into the special category bracket: session notes, intake forms, even the bare fact that someone is your client.

Practically, that means three things:

  1. A stronger legal footing. You need a lawful basis for ordinary data plus a separate condition for the health data. For most therapists that’s the provision of health or social care, or explicit consent.
  2. Tighter storage. Encrypted devices, a password manager, two-factor authentication on anything holding client records, and a locked cabinet for paper.
  3. A retention schedule you actually wrote down. Many UK insurers and professional bodies point to around seven years for adult client records (longer for minors); check what yours requires, then delete on schedule. Keeping everything forever feels safe. Under the storage limitation principle, it’s the opposite. Table comparing ordinary personal data and special category data on a therapy website

Consent, Contact Forms and Cookies: Where Websites Slip

The website is usually the leakiest part of a practice’s data handling, mostly because nobody built it with data protection in mind.

Say a prospective client fills in your contact form at 11pm on a Tuesday. Where does that message go? An email inbox? A database on your hosting account? A form plugin’s cloud dashboard in another country? Each of those is you processing personal data, and your privacy policy needs to tell the truth about it.

Cookies have their own rulebook, PECR, which sits alongside UK GDPR. Analytics and marketing cookies need genuine opt-in consent, not a banner that announces “by using this site you agree.” And honestly, most therapy websites collect far more visitor data than anyone ever looks at. If you haven’t opened your analytics dashboard since spring, strip the tracking out. Fewer cookies, a smaller banner, less to explain.

This layer is the one a designer can genuinely own. When we build a private practice website, the forms follow GDPR-aware design practices from day one: minimal fields, encrypted transmission, a plain note about where submissions go, and consent that isn’t bundled into the send button. One honest caveat, and it’s the trade-off in everything we sell: a well-built site narrows your risk, but it can’t finish the job. No designer can choose your lawful basis, write your retention schedule or register you with the ICO. That part stays yours, or your solicitor’s.

The same goes for off-the-shelf options. Our therapy website themes start you from a sensible place, but no template makes a practice compliant on its own.

What Your Privacy Policy Must Cover

A privacy policy for a UK therapy website needs, at minimum:

  1. Who you are: practice name, contact details, and your ICO registration if you hold one.
  2. What you collect, from session notes down to contact-form fields and cookies.
  3. Why, and on what lawful basis, written in plain English, not article numbers.
  4. How long you keep it. Your retention schedule, stated simply.
  5. Who else touches it: hosting company, form provider, calendar tool, your accountant, your supervisor (anonymised).
  6. Clients’ rights to access, correct, erase, restrict, port and object.
  7. The complaint route. Clients can raise concerns with you directly, and with the ICO.

Write it yourself or adapt a decent template, but read every line and delete anything that isn’t true of your practice. A policy that mentions “our sales team” on a solo counsellor’s website tells visitors exactly how much attention the rest of the site got. 

Data Breaches and Access Requests: Two Deadlines to Memorise

Two numbers cover most of what UK GDPR expects when things go wrong or clients ask questions.

72 hours. If a breach is likely to put people’s rights at risk — a stolen laptop holding unencrypted notes, an email sent to the wrong client — you report it to the ICO within 72 hours of discovering it. Where the risk to clients is high, you tell them too, without delay. Minor incidents with no real risk still get logged internally but don’t need reporting.

One calendar month. When a client asks for a copy of their data (a subject access request), you have one month to respond. Verify identity first; therapy records reaching the wrong person is the exact harm this whole system exists to prevent.

Neither deadline should keep you up at night. A one-page breach plan and a note on how you’d pull together a client’s records puts you ahead of most small practices, and the ICO’s published approach to enforcement is proportionate — its headline penalties are aimed at a different class of organisation entirely.  

FAQ: GDPR Compliance for Therapists

Does GDPR apply to my therapy website’s contact form?
Yes. The moment someone submits a name and email, you’re processing personal data — and if their message mentions why they’re seeking therapy, arguably health data too. Keep the fields minimal, make sure submissions travel over SSL, and say in your privacy policy where messages end up.
What happens if I don’t register with the ICO?
If you’re required to pay the data protection fee and don’t, the ICO can add a fixed penalty on top of the unpaid fee, though in practice it starts with reminder letters. The simpler path is the five-minute self-assessment on ico.org.uk.
How long should I keep client records under UK GDPR?
GDPR doesn’t set a number; it says “no longer than necessary” and makes you justify the choice. Most UK insurers and professional bodies suggest around seven years for adult records, longer for minors. Pick a period, publish it in your privacy policy, and actually delete when the time comes.
Do American therapists have to follow GDPR?
Usually not. GDPR reaches a US practice only when it deliberately serves clients located in the UK or EU. If that’s you, the two US-focused guides linked at the top of this article are the right starting point.

Usually not. GDPR reaches a US practice only when it deliberately serves clients located in the UK or EU. If that’s you, the two US-focused guides linked at the top of this article are the right starting point.

GDPR compliance for therapists comes down to a handful of habits: collect less, store it properly, tell the truth about it in your privacy policy, and know your two deadlines. None of it needs a law degree — though this article is business guidance, not legal advice, so confirm specifics with the ICO, your professional body or a solicitor before relying on them.

If the website side is the part you’d rather hand over, that’s what we do all day. Get a custom quote through the Website Inquiry Form and we’ll review your forms, cookies and policy pages together — 500+ therapist and coach sites in, we’ve seen every version of this problem.

Share this post:

For Therapist Counselor Life Coaches

Get Your Free Therapy Website & SEO Strategy

Small practice or established clinic, We’ll show you exactly how to grow online.

Recent Articles: