GDPR is on its way

Copy updated: 13 April, 2018.

Things to consider before new data protection regulations come into effect this May

Data protection regulationThe General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, replacing the Data Protection Act 1998 (DPA). In many ways, it will simply reinforce the obligations you already have under the DPA, however the GDPR does have a wider scope and carries tougher penalties for those who fail to comply.

Whether the personal data you use and store relates to clients, students, staff or local support group (LSG) attendees, this article outlines a few key things to consider to be compliant.

What is personal data?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. It defines this person as someone who ‘can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to […] that natural person.’ (Article 4)

What information do you hold?

Start by documenting what personal data you hold, how it’s stored, where it came from and who you share this with. This will help you identify any areas of risk – such as storing, using and sharing data securely – and also give you an idea of any processes that need improving.

Privacy notices

You should have a privacy policy in place, which clearly explains who you are and how you intend to use a person’s information. This should include how long you will hold their personal data for; how and when you will delete their personal data records; that they have a right to access any personal information you hold about them; and that they have the right to complain to the ICO if they think there is a problem with the way you are handling their data.

The policy does not have to be long and complicated, but make sure people are aware of the policy and how to access this.

Accessing information

People already have the right to access personal data you hold about them, but the GDPR will mean this information needs to be supplied within one month of their request. The ICO advises that in most cases you will not be able to charge for this service, unless the request is ‘manifestly unfounded or excessive’.


Review how you seek, record and manage consent to use and store personal data, and whether you need to make any changes.

According to the ICO, consent must be freely given, specific, informed and unambiguous. There must be a process of ‘opting in’ – consent cannot be inferred from silence or by having pre-ticked boxes.

Reviewing the personal data you hold in order to be GDPR compliant is a good opportunity to ensure this information is current and reflects the other person’s wishes. Ask those who have engaged with your services in the past year:

  • If the information you hold about them is accurate and up to date.
  • If they are happy to ‘opt in’ and be contacted by you for information relating to your services, for example appointment reminders, special offers, or newsletters. Make it clear that they can opt out of these communications at any time, quickly and easily.
  • How they would like to be contacted by you going forward for each of the above (by email, phone, text message, email, post, other).

In the process of checking someone’s personal data, be very careful not to disclose this information to someone other than that specific individual.

Other points to consider

  • Obtaining permission from a parent or legal guardian for consent to process the personal data of a child.
  • Having a process in place to detect, report and investigate a personal data breach.

Still have questions?


This article is intended for guidance only. It is not all-encompassing, nor does it constitute legal advice.

Contact the ICO Helpline if you have any questions about data protection or the GDPR. T. 0303 123 1113.

Advice and a copy of the GDPR is also available from their website:

16 thoughts on “GDPR is on its way

  1. I do not understand why you state that people with FHT insurance only have to keep date for 3 years after the final appointment. The policy states that documents must be kept for 10 years,

    Liked by 1 person

    • PS (Commenting via WordPress account now instead of facebook account) – double checked by downloading latest copy of the Code of Ethics and Professional Practice from the FHT website, and it says to protect yourself in case you are taken to court you need to keep notes for at least 10 years. I definately if there has been a bad reaction to treatment, and for 10 years after they reach adulthood when treating children.

      So come on FHT – which is it?

      The 10 years makes a LOT more sense to me. If a client hasn’t been for a few years then comes again, they are not going to be expecting me to start again from scratch taking down their medical history and having destroyed all the information I had put together about their preferences and which approaches were most successful. What a waste!

      Also, have we as members been agreeing to one thing in your Code of Practice, while being expected to do another under the insurance you provide? If so this needs resolving asap!

      Plus you don’t want a situation where your members destroy a lot of information on your advice which it turns out they should have kept.

      Liked by 1 person

  2. It will indeed be good to hear the outcome of the discrepancy which I pointed out to you on the day I received my federation magazine. Unfortunately, my email was ignored.

    Liked by 1 person

      • Please can you confirm on here, that we should be keeping records for 10 years as per the Insurance requirements? In the last month I have had 3 clients who have returned after an absence of 3 or more years and it was good to be in a position where we could discuss changes that had occured in that time rather than completing a consultation sheet from scratch.

        Liked by 1 person

  3. Please note that the FHT’s Code of Conduct and Professional Practice (October 2015) is currently under review to reflect GDPR (data protection) regulation that comes into effect on 25 May, 2018. We will advise members as soon as the updated version of the Code of Conduct is available.

    If you have any queries regarding GDPR or data protection, please contact the Information Commissioner’s Office on T. 0303 123 1113. If you have any queries regarding membership and insurance, or other aspects of the Code of Conduct, please call the FHT on T. 023 8062 4350.

    Liked by 1 person

  4. I came here to my trusted trade body for information on how to best implement the new legislatoon only to find that you are as confused as the rest of us. Are you producing any relevant guides for the statements or protocols that we need in place?

    Liked by 1 person

  5. We fully appreciate the complexity of the GDPR and that our members rightfully want to ensure that their business practices are in line with this new data protection regulation. As each FHT member collects, stores and uses personal data differently, the Information Commissioner’s Office will be able to offer advice that is specific to your individual business practices – please contact them on T. 0303 123 1113. The new GDPR regulation takes effect from 25 May, 2018. The FHT has planned to make its revised Code of Conduct available to members in April.

    Liked by 1 person

  6. Dear FHT , Please can we have some more help with this as i’m talking with fellow therapists locally and there’s still a lot of confusion . Could you perhaps create a template for a Privacy statement for your members to use ? What about information that’s taken for ‘taster’ treatments I’m assuming this would come under the new GDPR regulations as well . Many thanks .

    Liked by 1 person

    • I second the above comment from Vivien Taylor. I understand the AoR have already supplied their members with a template. Time is running out FHT, as our professional association please help and support us, it’s very confusing, even when ringing the ICO.

      Liked by 1 person

  7. Data Protection GDPR - changes are coming into effect on 25th May 2018

Leave a reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s