FAQs about GDPR
A quick guide to the UK General Data Protection Regulation and Data Protection Act 2018.

The GDPR (EU legislation) and DPA came into force on the 25 May 2018. Since the UK left the EU, the UK is still subject to the regulation, but it is now known as the UK GDPR. The DPA has been updated from the 1998 Act to the 2018 Act. The Data (Use and Access) Act came into law recently; June 2025. Here we update you with the latest information, answer members鈥� questions and link you to other resources.

The UK GDPR and DPA sets out the main principles of data protection and responsibilities organisations have when handing personal data. It protects individuals鈥� personal information and improves their control over how it is collected, stored, shared and used.

The legislation can be complex, and you may wish to seek professional advice from a legal expert in data protection. They will be able to clarify the finer points of legislative requirements and what it means for your organisation or practice.

For the latest information, see the Information Commissioner鈥檚 Office (ICO Website) , which has lots of resources from basic tools to details guides. It鈥檚 worth checking regularly as information is frequently updated.

Your questions

Do I need to register with the ICO?

All businesses (including sole traders) processing personal information electronically must register with the ICO and pay a fee. A new fee charging structure came into effect on 25^th May 2018, alongside the UK GDPR and DPA 2018.

See Register on the ICO website.

Do the same tiles apply to paper records and electronic records?

Broadly speaking, the same regulations do apply. Most personal data is held electronically as this is the most secure option, so if you keep paper records, you have the added complexity of maintaining both paper and electronic media. Paper records are not recommended and should be used only in extreme circumstances.

How long should I keep my records for?

Data Protection legislation does not set specific time limits but requires that you only keep information for as long as is necessary for the specific purpose it was originally collected. So you will need to decide how long you need to keep personal data and set retention periods.

Anonymising your records is the same as deletion because anonymised data is not personal data, therefore DP legislation does not apply. However, the information must be truly anonymous, so there is no way this can be linked back to an individual, and no way a data subject can be identified.

You should consider whether you can minimise a record after a certain time. So, you can delete some of the information you hold on a client (especially the more sensitive or special category information) and just retain limited data.

Further points to consider:

whether the data in your records is covered by any legal or regulatory requirements
whether your indemnity insurers specify a time period your organisational policies
the time limits for raising a complaint against a therapist (currently three years after counselling has ended under our Professional Conduct procedure, unless extenuating circumstances apply)

What is pseudonymisation?

This could be described as a reversible anonymisation, with a link or key connecting identification to anonymisation. For instance, you could remove all personal identification from your records, such as name, address, email, and keep these fields in a different system (preferably an entirely separate system). You would use a pseudonym to connect the two systems. This makes the data more secure and makes the eventual anonymisation of the record easier as you only need to delete the secondary record.

Pseudonymised records are still personal data under DP legislation but as long as the two elements are separate, the risks are reduced. Any data breach would be considered less serious if the records compromised had been effectively pseudonymised.

How should I destroy or delete records?

This depends on how your records are stored. Electronic records must be permanently deleted, and you must ensure that data cannot be undeleted or restored from backups. You may wish to seek guidance from your software provider such as Microsoft. Paper records should be a last resort, but if you are using these, they must be shredded.

This is particularly important if you retain any data classified as special category. You should clearly explain this in your privacy notice so that former clients and prospective clients can easily find out what data you are keeping about them.

See on the ICO website for more information.

Why do I need to include a privacy notice?

Your privacy notice is possible the most important part of ensuring compliance with DP legislation. Transparency is fundamental to data protection and a privacy notice is the main way you can ensure transparency with data collection.

Your privacy notice should be as thorough as possible. You must avoid jargon and ensure you write in terms your clients will understand. You must explain the personal data you keep, how long you keep it, the purpose, storage, what you do with the data and who you share it with. Look at it from the client鈥檚 point of view to ensure it is easy for them to find the information they need.

Are there any additional considerations when working with children and young people?

Yes, DP legislation is more complex if you鈥檙e dealing with personal data of children or young people. This overlaps with safeguarding policies and guidance such as Working Together to Safeguard Children 2023, found here: . If you already adhere to strict safeguarding principles, you will probably not have to make significant changes to comply with UK GDPR.

General questions about Data Protection legislation

What is Data Protection about?

If a company has legitimately collected some personal information from or about you,聽 such as your name, home address, medical history, religion or ethnic background, you鈥檇 want them to keep it secure and not misuse it or pass it on appropriately.

Data Protection is about protecting information so that those news stories about very sensitive personal records being lost or made available to others does not happen for you and your clients.

As a result of significant advances in technology, social media, and digital networks, much of who we are is recorded electronically as personal data. The UK GDPR, DPA 2018 and very recently implemented Data (Use and Access) Act, brings the law up to date to address any new and emerging data threats which may occur due to modern technology.聽

Does it apply to me?

No matter what your business is, every company or service is likely to hold some personal data which will need to be compliant with DP legislation.

You need to be sure that your customer or staff personal information is protected according to the legal requirements, as there are substantial penalties and punishments the ICO can impose, if DP legislation is not complied with.

I鈥檓 self employed and have a private practice at home. Does DP legislation apply to me?

If you process personal data solely within your personal life or for household activities, DP legislation does not apply. But if you undertake any commercial activities, even if you are a sole trader working from home, you will need to adhere to UK GDPR and DP legislation.

What are the penalties for non-compliance?

The ICO can issue a relevant penalty, the main penalties being reputational damage and or a fine.

The standard maximum for a fine is up to 拢8.7 million or 2% of the undertaking鈥檚 total annual worldwide turnover, whichever is higher.

The higher maximum amount for a fine is up to 拢17.5 million or 4% of the undertaking鈥檚 total annual worldwide turnover, whichever is higher.

The fines are discretionary, not mandatory, and are made on a case-by-case basis. When deciding the level of the fine, the ICO must consider the following factors:

the extent of the damage
the data involved
the data protection policies and procedures of the organisation
any mitigating and corrective actions taken following the non-compliance
if any previous incidents have been caused by the organisation

Individuals have the right to material and non-material compensation.

What do I need to do to ensure compliance?

There is no need to panic if you are not yet fully compliant, but you should at least have a roadmap of how you are going to achieve compliance.

If you have not already done so, your starting point should be to introduce a transparent privacy notice for all your clients.

Things to consider

What data do you hold?

Conduct an audit. Do you know what personal data you hold, where it comes from and who you share it with?

How do you respond to data requests?

Make sure your procedures are up to date with Data Protection requirements. How will you handle requests to see personal data within legislative timescales and provide any additional information?

What is your legal basis for processing personal data?

Consider the various types of processing your carry out. Identify and document your legal basis for doing these. More information on legal basis can be found here: .

Consent

If relevant, how do you seek, obtain and record consent? Do you need to make any changes?

Children

How can you be sure of individuals鈥� ages? Consider what systems you will need in place to gather consent for those who cannot give it themselves.

Data breaches

What procedures do you need to identify a breach, report it, and carry out an investigation? Do you know what to disclose, when and to who?

Data Protection Impact Assessment

DPIAs help to ensure privacy by design is followed. Make sure you are familiar with the specific guidance produced by the ICO. Where and how should implement DPIAs into your business?

Data Protection Officer

Do you need to designate a DPO? If so, where should the responsibility sit within the organisation and who will hold it?

Awareness

Are all decision makers and key individuals in your organisation aware if the requirements of Data Protection legislation? Do they appreciate the impact that this is likely to have?

International considerations

If you operate internationally, make sure you know which supervisory authority you come under for data protection. You may also need to think about restricted transfers depending on circumstances. More information about this can be found here: .

Information Rights

Individuals have certain rights when it comes to their personal data. These include: Right of Access, Right to Rectification, Right to Erasure, Right to Objection, Right to Data Portability, Right to Restriction of processing, Right to be Informed and Rights Related to automated decision making and profiling.

Further information

麻豆原创 resources

Good Practice in Action聽resources

For definitions, please see: GDPR terms and definitions.

ICO resources

ICO organisation guide to GDPR: .