Therapists: What has changed in GDPR since the UK left the EU?
GDPR law: The boring but important stuff...
As a private therapist collecting and storing information and sensitive data about clients, by law, you need to comply with the GDPR regulations. The Data Protection Act (DPA 2018) sets out the framework for data protection law in the UK. It was amended on 01 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK’s status outside the EU. You may need to comply with both the UK GDPR and the EU GDPR if you operate in Europe or offer services to individuals in Europe. If you hold any overseas data collected before 01 January 2021, this will be subject to the EU GDPR as it stood on 31 December 2020 (known as ‘frozen GDPR’).
The Information Commissioner's Office (ICO) will continue to be the independent supervisory body for the UK's data protection laws and if you are collecting or processing any kind of data you must register with the ICO. According to their information, there is unlikely to be any significant change between the frozen GDPR and the UK GDPR.
Why is GDPR important to therapists?
Clients should be able to trust you to process and store their sensitive data reasonably and safely - anything you have documented that can identify them applies to GDPR. There are lawful consequences carried out by the ICO if you are unable to meet these standards and comply with the measurers necessary. If you face an accidental ‘data breach’ or ‘breach of confidentiality’ of a client, then the ICO can charge a fine against you if your processes are not deemed robust.
Despite the fact that the changes following the UK's exit from the EU are minimal, it is important to know and understand where your client data is being stored, how you collect data, and how and through what means it is being transferred. You must be able to define any personal data obtained prior to the end of 2020 about individuals who were living outside the UK at the time.
What's the same since leaving the EU?
Nothing much has changed. GDPR regulations for the UK now exists alongside the Data Protection Act of 2018, with only some changes to make it operate in a UK-only context.
Data transfers from the UK to the European Economic Area (EEA) are still currently unrestricted. The EU has agreed to extend the time limit on transfers from the EEA to the UK for around four months, possibly extending to six months until 30th June 2021 (known as the bridge). Personal data may freely flow from the EEA to the UK before adequacy decisions are made or the bridge is closed.
What has changed since leaving the EU?
One change that has been made to UK GDPR is the age at which a child can give their own consent to data processing. It was set at 16 in the EU GDPR, although it has now been reduced to a minimum of 13 in the UK.
If you collect personal data from Europe, the ICO advises that you implement alternative safeguards by the end of April 2021 - EU GDPR can still apply to you directly. Be mindful that if you are seeing a client remotely online who lives abroad, GDPR's transfer restrictions will apply in the future as this is counted as sending personal data outside of your ‘business’.
You must assess any possible risks to personal data as a result of sharing it outside the UK. Ensure that you have appropriate security measures in place to protect the data shared, as this will minimise the risk of data breach and, if one does happen, the ICO will see that you are taking responsible steps to protect your data.
What do I need to do now?
It is important that you keep track so that you can locate any overseas data you obtained prior to the transition change (or legacy data). It is essential that you know when personal data was collected and where the data subject lived on December 31, 2020 to ensure that their collection complies with the new legal requirements. Invoices, client notes, diary appointments, and supervision notes are examples of client personal data.
Many therapists use a ‘cloud’ to store and share data. Microsoft, Apple or Google, are all cloud services that are used to store client's data and information which may be owned by a provider that resides out of the EU. If they are owned by an EU provider, this means that sensitive data that you store on the cloud are not just being shared and transferred within the UK.
As the UK has left the EU, it is important to check and regulate the provider who stores your data, ensuring it is correctly protected by the right GDPR. Look into whether it meets the relevant regulations as part of an audit and ensure it complies with either the EU or UK legislation.
This is a brief summary of EU changes to GDPR regulations. For a more detailed explanation and assistance on applying GDPR, please visit the ICO’s website or click the link below.
Information rights after the end of the transition period – Frequently asked questions | ICO F
At surrey Therapy practice we offer a free GDPR template to use as guide for when writing your privacy notice for your private practice. To download the free template please click here.