A SHORTish GDPR implementation checklist, for health and wellbeing practitioners and therapists

I find it all very confusing. Just when I’ve spent a few hours figuring something out and deciding to set something in place, I then hear from someone else that we don’t have to set that thing in place. There’s reams of info, with clauses about this and that and the other.

So I reckonreduce your stress and prevent pulling out your hair, put a whole bunch of stuff in place, cover your back, then you don’t have to worry about anything.

I’ve made this list as concise as possible, and here is another list, which you really need to read as well, as it considers other elements of GDPR.

Don’t believe everything I say. However, if you implement my suggestions, you can save yourself a lot of time and energy AND play it safe. You might not need to do everything on this list and my previous list, however I figure, if you do all of this, then you can say you are offering best practice for everything.

There is so much to read and lots of conflicting advice, so I hope I’m interpreting it all correctly.

The 3 blog posts I’ve written are my interpretation and what I believe is best practice to get GDPR ready.

Get informed through other channels and do let me know if you find conflicting advice. 

FIRSTLY: STAY CALM AND TAKE SMALL ACTIONS STEPS NOW, to get things in place! ‘They’ are hardly going be able to clamp down on every business owner on May 25th. I hold no responsibility for saying that though.

So, start making some progress now, keep track of what you are doing so you can provide evidence if you need to. Even reading this blog post is part of you taking action. The ICO’s policy is: education > guidance >  and if you don’t take action after that, then you’ll be fined.

1. Get consent to hold client information and tell them how you are going to use it
So you could…
Make a client consent form asking for permission to hold their personal information, with the option to sign up for relevant info, marketing and practice updates (Maybe a few of those don’t apply to you)

“Keep evidence of consent – who, when, how, and what you told people.”

  • You need to get consent from clients to hold their personal information, for as long as is deemed necessary by your insurance company
  • You need to get consent from your clients to add them to your mailing list(s)
  • Save yourself the hassle of having this on paper, set up on online form
  • You need to tell them how you will store the data – data needs to be kept securely
  • If you treat children 12 and younger, you need to read this.  13 years and up are now classed as adults

ICO: Consent info and checklist

2. You need to make it easy for clients to update or erase (and more) their info.
So you could…
Provide a way for clients to update their info, withdraw their consent for you to hold their data or unsubscribe from your mailing list

“Make it easy for people to withdraw consent and tell them how.” 

  • There are several ways to handle this…my suggestion is have a form on your website for this purpose. If someone does not want to return to you for treatment, and you are contacting them about “stuff”, they are hardly going to send you an email to say “please remove me”. An online form makes it easy for them to withdraw their consent
  • Add a link to the form on the signature of your emails
  • Make links to the forms prominent on your website
  • If you use something like Mailchimp for sending emails or marketing, make sure those signup forms are GDPR compliant and you have relevant info on the bottom of the emails/newsletters
  • Apparently double-opt in is not a requirement for GDPR though it could we worth having it anyway 

Example update/delete details form
ICO: Consent info and checklist

3. From CURRENT clients, get consent to hold personal information and use it contact them

(UPDATE May 14: I’m getting conflicting advice here, I now here you don’t need permission to contact them though you might need it to market to them)

You could tell current clients how you store their info, for how long, who might see it, how you will use it, that they are able to see it at any time etc etc.

  • Chances are you have not told your client how and why you need their personal information, how you store it, what you will use there data for etc etc. You need to do this. See No. 1
  • You could email all your clients and get their consent to continue to hold their data and let them know who you will use it
  • Link form No. 1 to form No.2
  • Or you could wait for your clients to come back to you and get their consent then

Example update/delete details form
See previous post for more info
ICO: Consent info and checklist

4. ALREADY got a marketing list? Get those people to re-opt in

(UPDATE May 14: I’m getting conflicting advice here, apparently if you use Mailchimp, you don’t need to get people to re-optin)

  • If you did not tell clients previously that you were going to add them to your mailing list, you need to get them to re-optin, however, because of the “vital interests clause”, ff you’ve seen a client in the last 3 years, you don’t need to get consent from them to contact them. I’m not sure if this has the deadline on May 25th or just applies continually
  • If people previously subscribed to your mailing list, and you did not tell them at the time of signup, how you were going to use their information and inform them of your privacy policy, they need to re-opt in
  • The deadline for sending an email asking them to re-opt in is May 25th and they can of course re-opt in any time after that. HOWEVER you can’t email them after that date, asking them to do so

Example mailing list sigup form
ICO: Consent info and checklist

5. Add a cookies notice to your website

  • Cookies are apps that collect data on your website about visitors to the site
  • There are high chances that your website collects information
  • You need to tell visitors about this data collection

Read this blog post about cookies and privacy policies

6. Create a GDPR compliant privacy policy

“Businesses in the UK are subject to the Data Protection Act 1998. This piece of legislation details what your responsibilities are when it comes to looking after the ‘personal data’ you are collecting about your customers and employees.”

  • I’m not sure on the exact needs for meet “GDPR compliant”
  • Include information about cookies. You are required by law to do this. See No. 5
  • Include information about how you use website visitors data
  • Include information about how you process, sort and use client personal information and mailing list info
  • Add this to your website then link to it from your email signature and text messages

“Following good practice in providing privacy notices helps you to deal with people in a clear and transparent way and empower them. This makes good sense for any organisation and is key to developing trust with customers or citizens.”

Read this blog post about cookies and privacy policies
ICO: Why should you provide effective privacy information
ICO: where should you place your privacy notice
ICO: Privacy checklist

7. Install a security certificate on your website

A large part of GDPR is around keeping personal data secure. Installing a security certificate will help you with that, intern building trust with website visitors.

Read this blog post about why your site needs a security certificate

8. Register with the ICO

It’s only around £30 a year. The “Data Protection Act requires all businesses to register with the ICO”.  Take the test to see if your business needs to register … I’m sure you’ll find the answer to be YES

9. What else should you do

Read this previous checklist

If you need any assistance with all of this, please do get in touch

Photo by Goran Ivos on Unsplash

Scroll to Top