GDPR Checklist for Video Therapy Software

GDPR compliance is essential for therapists using video therapy platforms to protect client data and avoid legal penalties. Here's what you need to know:

• Therapists as Data Controllers: You decide how client data is handled. Platforms act as data processors under your instructions.
• Sensitive Data Handling: Therapy involves "special category data" like health details, requiring strict safeguards (e.g., encryption, access controls, Data Processing Agreements).
• Legal Obligations: UK GDPR and the Data Protection Act 2018 require lawful data processing, transparency, and accountability.
• Client Trust: Secure data management reassures clients and helps maintain confidentiality.

Key Steps for Compliance:

1. Privacy Notice: Clearly explain data collection, usage, and retention to clients.
2. Data Protection Impact Assessment (DPIA): Map data flows, assess risks, and document safeguards.
3. ICO Registration: Most UK therapists must register with the Information Commissioner’s Office.
4. Data Processing Agreements (DPAs): Ensure contracts with vendors outline security and processing standards.
5. Encryption & Security: Use strong encryption (e.g., AES-256), multi-factor authentication, and access controls.
6. Retention Policies: Define how long data (e.g., session notes, recordings) is kept and securely delete it when no longer needed.
7. Client Rights: Allow clients to access, correct, or delete their data within one month of a request.
8. Regular Reviews: Update DPIAs, Privacy Notices, and vendor contracts annually or when changes occur.

Using a GDPR-compliant platform like Konfidens can simplify governance by integrating secure video calls, notes, scheduling, and payments in one system.

Takeaway: Protecting client data isn't just a legal requirement - it's key to maintaining trust and delivering effective therapy. Follow these steps to ensure your practice meets GDPR standards.

Governance and Documentation Requirements

To ensure compliance with GDPR regulations, your video therapy practice must implement specific governance measures to safeguard client data effectively.

Create a comprehensive governance framework that includes key elements like a Privacy Notice, lawful basis documentation, a Data Protection Impact Assessment (DPIA), ICO registration, a Record of Processing Activities (ROPA), a Data Processing Agreement with vendors, and policies covering data retention, access, incident response, and data subject rights. These measures are critical for maintaining transparency and accountability in your practice^[2][6].

Privacy Notice and Lawful Basis for Processing

Your Privacy Notice should clearly outline that you conduct therapy sessions online and detail the types of personal and sensitive data collected during video calls. This may include names, contact information, health histories, images, and audio recordings. It must also explain why this data is processed - whether for assessment, treatment, invoicing, or supervision - and specify the Article 6 lawful basis (usually performance of a contract or legitimate interests) along with the Article 9 condition for processing health data (commonly provision of health or social care)^[2][6].

Additionally, your Privacy Notice should identify the video platform as your data processor, describe any international data transfers and safeguards, and clarify the data retention periods. If sessions are recorded for purposes like training or supervision, you must obtain separate explicit consent from clients^[2][3].

Data Protection Impact Assessments (DPIAs)

Conducting a DPIA is essential for remote mental health services, as they often involve handling sensitive data that could pose high risks to individuals. A DPIA maps out all data flows - from the client’s device, through the internet, to the video platform, and finally to your device. It should also account for any recordings, backups, or logs. Identify all personal and sensitive data involved, including images and audio that might contain biometric information. Evaluate the necessity of using video and assess risks like interception, unauthorised access, or system misconfigurations^[2][3][6].

Your DPIA should document mitigation strategies such as encryption, access controls, audit logs, and staff training. Additionally, note whether you consulted professional bodies or a Data Protection Officer during the process. Update your DPIA annually or whenever you switch vendors or introduce new features, such as call recording or AI transcription^[6].

ICO Registration and Processing Records

If you’re a UK-based therapist processing identifiable client data electronically - such as through video platforms - you’re likely required to register with the Information Commissioner’s Office (ICO) and pay an annual data protection fee. Exemptions are rare, so it’s best to assume registration is necessary^[6].

When registering with the ICO, ensure your role and activities, including online therapy, are accurately reflected. Additionally, maintain a Record of Processing Activities (ROPA) for video therapy. This document should include:

• Categories of data subjects (e.g., clients, supervisees)
• Types of personal and sensitive data processed
• Processing purposes
• Categories of recipients (e.g., your video platform provider)
• Details of any international data transfers and safeguards
• Retention schedules
• A description of technical and organisational measures^[2][6]

ROPA can be as simple as a spreadsheet or table but should align with your Privacy Notice and DPIA.

Simplifying Governance with Tools

Platforms like Konfidens can streamline governance by integrating scheduling, secure notes, video calls, and consent management into one GDPR-compliant system. This approach helps maintain consistent records, manage access controls, and demonstrate compliance throughout the client journey^[5][8]. However, as the data controller, you remain responsible for ensuring appropriate policies and up-to-date DPIAs are in place. The next step is to evaluate the software’s security features to ensure they meet your data protection needs.

Vendor Due Diligence and Contracts

When selecting a vendor, it's essential to evaluate their ability to meet your obligations as a data controller. This assessment should align with your existing governance framework. Under Article 28 of the UK GDPR, you can only work with processors that offer sufficient assurances they have the right technical and organisational measures in place. This isn't about taking a vendor's "GDPR-compliant" claim at face value - it requires a thorough review of contracts, hosting arrangements, and security credentials.

Data Processing Agreements (DPAs)

Any video therapy vendor you use must provide a written Data Processing Agreement (DPA). This document outlines their responsibilities under Article 28 and should clearly define roles - you as the controller and the vendor as the processor. It should also specify details like the subject matter, duration, nature, and purpose of the data processing. Additionally, it must list the types of personal data involved (including sensitive health data) and the categories of individuals, such as clients, supervisees, or staff members.

A robust DPA ensures processing is carried out strictly according to your instructions. It should include clauses that enforce staff confidentiality, encryption, and access controls. The agreement must also outline the vendor's role in supporting data subject rights (e.g., access, erasure, or restriction), managing security incidents, assisting with Data Protection Impact Assessments (DPIAs), and defining how data will be deleted or returned when the contract ends. Crucially, the DPA should allow for audits or other measures to verify compliance.

Pay attention to practical clauses that safeguard session data during regular use. These include whether sessions are recorded by default and who controls this setting, as well as how recordings, chat logs, and shared files are stored, encrypted, and retained. The DPA should also restrict the vendor's use of data for purposes like analytics, AI training, or marketing. Look for clear breach notification timelines (e.g., "without undue delay") and provisions for data exports when clients exercise rights like access or portability. Recording controls should be detailed, including options to disable or restrict recordings and automatically delete them in line with your retention policy.

Vendor Jurisdiction and Hosting Location

Knowing where your vendor stores and processes client data is critical. Data hosted within the UK or EEA benefits from comparable protections under UK GDPR or EU GDPR. If data is stored in a third country, such as the United States, you'll need to ensure there is either an adequacy decision in place or that appropriate safeguards, like the ICO-approved International Data Transfer Agreement or EU Standard Contractual Clauses, are used alongside transfer risk assessments.

Ask for a data flow diagram or a summary of hosting locations and backup sites. Confirm the data centre providers (including the specific cloud platforms and regions) and check whether any data, such as logs, metadata, or support tickets, is processed outside the UK or EEA. Additionally, verify whether tools like test environments, analytics platforms, or email/SMS services used for reminders handle client identifiers outside these regions. Ensure these tools are listed as sub-processors. Opting for a UK-focused platform can help simplify compliance.

Security Certifications and Sub-Processor Lists

Request evidence of the vendor's security certifications, such as ISO 27001. Evaluate their encryption measures - both in transit and at rest - along with their access controls, multi-factor authentication, and incident response protocols. Vendors that can provide up-to-date security certifications, a security whitepaper, and a transparent incident response plan demonstrate a well-established approach to security.

The vendor should also supply a current list of sub-processors. This list should detail all third parties that process personal data on your behalf, including their roles (e.g., "UK data centre hosting" or "video streaming infrastructure"), the regions where data is processed, and the safeguards in place for international transfers.

The DPA must ensure that sub-processors are held to the same data protection standards as the primary processor. It should also require the vendor to notify you in advance of any changes to their sub-processors, giving you the chance to raise objections. For example, if a US-based email service is used to send appointment reminders containing client names, you need to assess whether this transfer complies with data protection laws and your confidentiality commitments. Using an all-in-one UK-based platform like Konfidens, which integrates video, session notes, scheduling, and payments, can reduce the number of vendors you need to evaluate, making ongoing compliance easier. Once you've assessed your vendor, review your platform's security and data storage practices to ensure they align with GDPR requirements.

Security and Data Storage

Once you've sorted out contracts and hosting logistics, it's time to focus on the technical steps required to keep your data secure. Under Article 32 of the UK GDPR, you’re required to implement measures like encryption, access controls, and secure deletion to protect personal data. This is especially critical for video therapy, where you’re dealing with sensitive health information. Failing to secure sessions, messages, or notes could lead to regulatory scrutiny and hefty fines - potentially as high as £20 million or 4% of global turnover ^[2][9].

Encryption and Secure Configuration

Your video therapy platform must use strong encryption for both data in transit and at rest. For connections like video streams, logins, and file uploads, ensure TLS with modern ciphers is in place. For stored data, AES-256 or an equivalent standard should be used ^[2][5]. Many GDPR-compliant platforms align their encryption practices with those used in online banking. To confirm this, ask your provider for a security white paper or technical overview ^[5][8].

For highly sensitive sessions, such as trauma therapy, end-to-end encryption (E2EE) is highly recommended. E2EE ensures that even the service provider cannot access the data, offering an extra layer of security ^[1][2]. However, it’s worth noting that E2EE might restrict certain features like cloud recording or multi-party calls ^[1]. Use your Data Protection Impact Assessment (DPIA) to weigh the risks and decide whether E2EE is necessary, or if strong encryption combined with strict access controls will suffice. Platforms like Konfidens, which combine secure video chat with encrypted messaging, can offer a balance between security and usability.

Beyond encryption, make sure to enable waiting rooms, enforce multi-factor authentication, use strong passwords, restrict screen sharing, and set up automatic session time-outs. Role-based access controls are another must, ensuring that only authorised individuals can access sensitive data. All configuration decisions should be documented as part of your GDPR compliance records ^[2][4][5].

Once these measures are in place, the next step is to ensure your hosting practices also meet security standards.

Hosting and International Transfers

Encryption is just one piece of the puzzle; you also need to think about where and how your data is stored. Keeping data within the UK or the EEA ensures it falls under the protections of the UK GDPR or EU GDPR ^[8][11]. If your data is stored or accessed outside these regions - like in the United States - you’ll need to ensure there’s an adequacy decision or implement safeguards like Standard Contractual Clauses and a transfer risk assessment ^[8][11].

Ask your vendor for a clear breakdown of where their data centres are located, including backups and logs, and whether any support or analytics teams access data from outside the UK or EEA ^[2]. If international transfers are involved, document the transfer mechanisms in your DPIA and privacy notice, and make sure your Data Processing Agreement covers onward transfers to sub-processors. Many practices opt for platforms hosted within the UK or EEA to simplify compliance. A UK-focused solution like Konfidens, which integrates video, notes, scheduling, and payments, can reduce the number of vendors you need to evaluate and streamline compliance efforts.

Your hosting checklist should also include infrastructure security. Confirm that your data centre provider holds certifications like ISO/IEC 27001 or SOC 2, ensure customer data is logically separated (multi-tenant isolation), and review their breach notification procedures. GDPR requires notifying the ICO within 72 hours of a breach, so it’s essential your vendor adheres to this ^[2][6].

Retention and Deletion Policies

GDPR requires that personal data is not kept longer than necessary ^[2]. For UK therapists, this must align with professional and insurer guidelines, which usually recommend keeping clinical records for at least seven years for adults, and potentially longer for children ^[2].

Set clear retention rules for different types of data, such as recordings, chats, metadata, and notes. Avoid holding onto raw video files unless absolutely necessary, and automate regular data reviews and secure deletions ^[2][6]. Your software should allow you to configure retention periods - for example, deleting recordings after 30 days, logs after one year, and notes in line with professional recommendations. It should also support automated deletion or anonymisation once these periods expire ^[2].

Secure deletion means removing data from active storage and eventually from backups. Test these processes to ensure they work as intended and keep an audit trail to confirm data has been removed ^[2][10]. Platforms like Konfidens, which integrate scheduling, notes, and payments alongside video, should provide consistent retention controls across all modules. For instance, deleting a client’s video data should also remove their notes and billing information according to the same timeline. Document these retention rules in your privacy notice and internal policies, and keep test records with your DPIAs and configuration logs to demonstrate compliance to the ICO or other regulatory bodies ^[2][7].

sbb-itb-0b4edca

Client Consent and Rights Management

When dealing with client data, especially in sensitive settings like therapy, transparency and compliance are non-negotiable. Under Articles 13 and 15 of the UK GDPR, clients must be clearly informed about how their data is collected, used, and what rights they have. This includes the right to access, correct, or delete their data. Providing this information in plain, accessible language is key to avoiding complaints and potential fines from the Information Commissioner’s Office (ICO) ^[2][6].

Informed Consent for Online Therapy

Before starting any therapy sessions, it’s essential to explain the clinical process and data protection measures to clients. This should cover how video therapy operates, its potential benefits, and risks - such as technical issues, interception risks, or privacy concerns in the client’s own space. Be upfront about what personal data will be collected, such as contact details, health information, payment data, and even metadata like IP addresses and session logs. Explain why this data is needed, whether for clinical care, safeguarding, supervision, or billing, and outline the lawful basis for its use ^[2][6].

Clients should also be informed about the platform being used for sessions, its security features like encryption and access controls, and whether sessions will be recorded. Recording sessions is rarely necessary and requires explicit, opt-in consent from all parties involved. If recording is proposed - for supervision, training, or client review - clearly explain its purpose, how long the recording will be kept, who will have access, and where it will be stored. Consent should be documented, either in writing or through a timestamped digital tick-box. If a client withdraws their consent, recording must stop immediately, and the change should be noted ^[2][3].

This information should be presented in straightforward language, with adjustments made for vulnerable individuals or young people. An online therapy information sheet combined with a consent form can help ensure clarity. Clients should have enough time to review, ask questions, and give informed consent before the first session. Digital systems that log when the notice was provided and accepted can further demonstrate compliance with GDPR requirements.

Client Privacy Notices

A Privacy Notice is a key document that outlines how client data is handled. It should be concise, easy to understand, and readily accessible. Key details to include are your identity and contact information, the purposes and legal basis for processing data, who will have access to the data (e.g., practice management providers, video platforms, accountants, or GPs in safeguarding situations), information on any international data transfers, data retention periods, and an overview of client rights. These rights include access, correction, deletion, restriction, and portability, as well as the right to lodge complaints with the ICO ^[2][6].

For video therapy, your Privacy Notice should specify the platforms used and their security measures, reflecting the consent details discussed during session planning. Provide this notice at the earliest opportunity, such as in a confirmation email or through a client portal, before any significant data processing begins. Using a GDPR-compliant template integrated into an online onboarding process - like the client portal on Konfidens - can ensure that every client receives and acknowledges the notice before their first session.

Handling Data Subject Rights

Clients retain several rights under GDPR during video therapy, including the ability to access, correct, delete, restrict, object to, and transfer their data. Requests to exercise these rights must be handled within one month ^[2][7][6].

To manage these requests effectively, establish a clear, written procedure. This should include how clients can make a request, how their identity will be verified, who is responsible for handling the response, and how relevant systems (like practice management tools or secure storage) will be searched. Data provided to clients must be secure, structured, and in a machine-readable format.

For corrections, fix factual errors (such as an incorrect address or date of birth) and, if necessary, add a dated note for disagreements over clinical opinions rather than altering the original record. For deletion requests, assess whether legal, regulatory, or safeguarding obligations require retaining the data. If full deletion isn’t possible, remove non-essential information. Any approved changes or deletions should be applied across all systems and processors ^[2][7].

Data portability allows clients to receive their information in a commonly used electronic format, like CSV or PDF, and transfer it to another provider if needed. Ensure your systems can securely export relevant data - such as intake forms, contact details, appointment histories, or clinical summaries - within the required timeframe ^[7][6].

Using a single GDPR-compliant system to store notes, communications, and documents - such as Konfidens - can simplify compliance. A centralised platform ensures all client records are securely maintained, reducing the risk of missed deadlines or overlooked data. Configure privacy settings, access controls, and retention schedules to align with your Privacy Notice. Additionally, keep a record of key consent preferences, like whether recording is allowed or preferred contact methods. Regular audits and spot-checks can confirm your practices align with documented policies, reinforcing your overall GDPR compliance framework.

Maintaining Compliance and Staff Training

Staying on top of GDPR compliance is not a one-off task - it’s an ongoing process. Regular reviews and continuous staff training go hand in hand with your established governance and security measures. You need to ensure that your data processing remains lawful, secure, and proportionate over time. This involves periodic reviews, consistent training, and keeping detailed records of your system configurations.

Annual Reviews and DPIA Updates

Make it a habit to review your Data Protection Impact Assessment (DPIA), Privacy Notice, and vendor contracts annually. Updates are essential when you add new platforms, enable recording features, or change hosting regions. Think of your DPIA as a "living" document that evolves with your practice. Your Privacy Notice should also stay up to date, reflecting the current use of video tools, data storage locations, retention periods, and client rights.

In the UK, many practices streamline this process by scheduling an annual GDPR review, with additional checks triggered by significant changes, such as adopting a new platform or expanding services. This approach ensures your video therapy compliance remains aligned with your governance framework.

Staff Training on GDPR and Security

Good documentation is only part of the equation - effective staff training is equally crucial. Every team member who handles client data, from therapists to administrative staff, should receive regular GDPR and security training. For new hires, induction training must happen before they gain access to client information, followed by annual refreshers for existing staff.

Training should cover the basics, such as lawful data processing, data minimisation, and client rights, along with specific guidance for handling sensitive mental health data. Include practical tips like using approved video tools, verifying client identities, managing waiting rooms, and securing account credentials. Staff should also learn to identify phishing attempts, suspicious updates, and social engineering attacks. Additionally, explain what qualifies as a personal data breach (e.g., sending an invitation to the wrong email address) and outline the internal reporting process. Keep concise records of all training sessions.

Platforms like Konfidens, designed specifically for UK therapists, can ease the training burden by offering user-friendly interfaces, secure default settings, and built-in GDPR guidance.

Configuration Records and Documentation

GDPR’s accountability principle requires you to document system configurations thoroughly. For video therapy and practice management tools, this should include:

• Security settings: Encryption protocols, password policies, two-factor authentication, and automatic log-out durations.
• Access controls: User roles and permissions for hosting sessions, viewing notes, and accessing recordings.
• Recording and storage settings: Whether recording is enabled, where recordings are stored, retention periods, and deletion procedures.
• Data retention rules: How long session notes, metadata, chat logs, invoices, and audit logs are kept.
• Backup configurations: Frequency of backups, storage locations, encryption standards, and restoration testing processes.

Regularly verify that your system settings align with documented policies. A centralised GDPR-compliant system, such as Konfidens, can simplify this process. These platforms often come with built-in retention settings, secure defaults, and audit logs, supporting both ICO audits and client inquiries with minimal effort.

Conclusion

Complying with GDPR in video therapy software isn't just about ticking boxes - it's about safeguarding your clients' sensitive information and upholding professional standards. By following this checklist, you ensure your platform incorporates key elements like encryption, access control, data minimisation, and respect for client rights. This not only reduces risks but also shows your clients that their privacy is a top priority.

When clients see their data is handled securely, it builds trust, which is essential in therapy. A secure, privacy-focused platform encourages clients to share openly, enhancing the therapeutic process. This trust highlights why keeping your compliance measures thorough and up to date is so important.

A comprehensive, GDPR-compliant platform like Konfidens can simplify this process. Designed specifically for UK therapists, it brings together scheduling, secure notes, video calls, and payments. Features like secure defaults and built-in audit logs make record keeping and DPIA updates straightforward, freeing you to focus on what matters most - providing excellent clinical care.

FAQs

What steps should video therapy software take to comply with GDPR?

To comply with GDPR, video therapy software must focus on protecting data and safeguarding client privacy. Here are some critical measures to consider:

• Encrypt data during storage and transmission to shield sensitive information from potential breaches.
• Ensure data is stored securely within the EU or in locations that adhere to equivalent data protection regulations.
• Obtain clear and explicit consent from clients before collecting or processing their personal information.
• Use access controls to limit who can view or modify client data, preventing unauthorised access.
• Keep audit logs to monitor data usage, promoting transparency and accountability.
• Practise data minimisation by only collecting and keeping the information absolutely necessary for therapy sessions.

By implementing these measures, therapists and clinics can ensure their software not only meets GDPR standards but also respects and protects their clients' rights.

What steps should I take to ensure my video therapy software complies with GDPR?

To make sure your video therapy software aligns with GDPR requirements, pay close attention to these core aspects:

• Encryption: Implement end-to-end encryption to protect video calls and client communications from unauthorised access.
• Data storage: Store all client data securely within the EU, ensuring it complies with GDPR guidelines.
• Client consent: Secure explicit consent from clients before collecting or processing their personal data.
• Regular reviews: Continuously evaluate your data handling processes to maintain compliance over time.

Platforms like Konfidens, designed with GDPR compliance in mind, offer secure data storage and encryption, making it easier to manage your practice confidently and securely.

What information should be included in a Privacy Notice for online therapy sessions?

A Privacy Notice for online therapy sessions should offer a clear explanation of why client data is collected and specify the types of information gathered. This might include personal details or session notes. It should also clarify the legal basis for processing this data, whether that's through client consent or because it's necessary for a contractual agreement.

The notice must detail how the data is securely stored and encrypted, the duration it will be retained, and the rights clients have over their data. These rights include accessing their information, requesting corrections, or even having their data deleted.

Furthermore, it should explain if any data is shared with third parties, outline the steps taken to ensure compliance with GDPR, and provide contact details for addressing any concerns or questions about data handling. Offering this information openly not only ensures compliance with UK data protection laws but also helps establish trust between therapists and their clients.

Related Blog Posts

• GDPR Compliance for Therapists: Common Questions
• How to Choose a GDPR-Compliant Video Platform
• Common GDPR Storage Issues and How to Solve Them
• GDPR and Informed Consent in Online Therapy