UK GDPR for Independent Practitioners: What You Actually Need to Know
GDPR compliance doesn't have to be complex. Here's a clear, practical guide to what UK GDPR means for independent health and wellness practitioners — and what you need to do.
WellSync Team
22 May 2026
UK GDPR can feel overwhelming — especially when you're running a solo practice and there's no legal team to ask. But the core requirements for independent practitioners are more manageable than you might think.
Here's what you actually need to know and do.
Who does UK GDPR apply to?
UK GDPR applies to any organisation or individual that processes personal data about people in the UK. If you hold client names, contact details, session notes, or health information — and almost every practitioner does — UK GDPR applies to you.
The good news: the ICO (Information Commissioner's Office) takes a proportionate approach. Solo practitioners with small client lists aren't the target of enforcement action, but you do need to have the right foundations in place.
The data you hold as a practitioner
As a health or wellness practitioner, you typically hold:
- Client names, email addresses, phone numbers
- Session notes and clinical records
- Health history and intake form data
- Payment records
- Consent records
Health data is classified as "special category data" under UK GDPR, which means higher obligations — but in practice, for practitioners, this mainly means ensuring explicit consent and secure storage.
The six things you need to do
1. Have a legal basis for processing data
For most practitioners, the legal basis is either legitimate interests (for appointment records and basic client management) or explicit consent (for sensitive health data). You should have both — a consent form that clearly explains what data you hold and why.
2. Get explicit consent before the first session
A signed consent form — covering what data you collect, how you store it, how long you keep it, and who can access it — is essential. Digital consent forms (like those in WellSync) provide a timestamped, auditable record.
3. Store data securely
Client records should be stored with appropriate security: encrypted at rest, access-controlled, and backed up. Cloud platforms designed for healthcare (like WellSync) handle this for you. Paper records in a locked filing cabinet also qualify — but aren't searchable or recoverable if damaged.
4. Keep data only as long as needed
The ICO recommends retaining health records for a minimum of 8 years after the last treatment (or until age 25 for minors). After that, securely delete or anonymise records.
5. Respond to subject access requests
Clients can request a copy of all data you hold about them. You have 30 days to respond. A practice management system with data export capabilities makes this straightforward.
6. Register with the ICO (if required)
Most small practitioners need to register with the ICO as a data controller. Registration costs £40/year for small organisations. Check the ICO's self-assessment tool to confirm.
What about cookie consent?
If you have a website that uses analytics cookies or advertising pixels, you need a cookie consent mechanism. Tools that don't use cookies (like Plausible Analytics) are exempt. Google Analytics and Meta Pixel require explicit opt-in consent.
The practical bottom line
For most independent practitioners, UK GDPR compliance means:
- A clear, signed consent form before the first session
- Secure, encrypted storage of client records
- ICO registration (£40/year)
- A privacy policy on your website
- A process for handling data subject requests
That's genuinely it for most solo practitioners. The horror stories you hear about GDPR fines are from large organisations that systematically mishandled data — not individual therapists with a client list.
Try WellSync free
Ready to simplify your practice?
Online booking, session notes, reminders, and consent — everything in one place. Free to start.
Start free — no card needed