General Data Protection Regulation (GDPR) for Therapists and Coaches: What You Need to Know

Keep hearing about GDPR? What does it mean for you?gdpr for therapist and coaches

Recently the European Union (EU) established new regulations for managing data that will go into effect in May 2018.

You may have heard about these changes or, if you use Google Analytics, you may have already received a number of Data Retention related emails from your website provider or from Google.

At first glance, you may have thought that these are a reaction to the recent data scandal surrounding Facebook when, in fact, they are really about the GDPR initiative that has been in the works by the EU for several years.

Of course, in light of this new law, your biggest question probably is: “How will this affect my business?”

Before getting to the answer, let’s consider some important information about the GDPR.

What Is the New General Data Protection Regulation?

The GDPR, enforced by the European Union is a legislative requirement that was passed by EU Parliament in April 2016 with the goal of being implemented in May 2018.

The objective of the initiative is to help the EU have a unified policy for all their member countries. Therefore, the GDPR aims to protect EU Citizens’ privacy and data and regulate how companies use this information.

The law was initially first implemented in 1995 but has recently been updated to reflect changes in how we use the Internet.

How Has the Law Changed?

According to the official EU website, the policies that are part of the GDPR include:

Right to Access Data

Consumers have a right to access their data collected by a company. They can also receive a free copy of this data.

Notification of a Data Breach

If a company experiences a data breach that could, “result in a risk for the rights and freedoms of individuals,” the company must inform customers within 72 hours.

Data Erasure

This has been covered in the media as being “The Right to Be Forgotten.” This means consumers have the right to ask companies to remove their data from their files and to cease disseminating their data.

Privacy by Design

A company is required, “to hold and process only the data absolutely necessary for the completion of its duties.” The organization must also limit who has access to the data.

Fines

A company that breaches this regulation can face financial consequences of up to 4% of their annual global revenue or 20 M Euros, depending on which is greater.

Release

When a consumer authorizes a company to collect their data, such as in “terms of use,” the release must make sense and be clearly understood.

Data Portability

Consumers have the right to be able to transfer their data to another organization.

Data Protection Officers

This is meant to streamline data processing activities for companies but requires more internal recordkeeping.

How Does the New Law Affect Your Business?

Since the GDPR affects any company that provides goods and services marketed to EU citizens as well as any company processing or holding personal data from these EU citizens—regardless of the company’s location—this is the obvious question for therapists and coaches worried about the new law.

Here’s the good news: If you are a U.S. based therapist or coach who only markets their business to people in the United States, you don’t have to worry about the law. This law is only meant for businesses that target, or attempt to attract, customers and clients from EU-member countries.

In other words, if someone who lives in an EU country happens to find your website and opts in to your email list or does business with you in another fashion, this law does not apply to you. As long as you do not specifically market your services or products to EU citizens—meaning your website is written in English and for U.S. consumers—you’re okay.

However, if you are a U.S. based therapist or coach who markets their business to people in the European Union—meaning your website has information in the language of an EU country or you quote prices in EU currency, or you make references to customers and users from that country—the GDPR does apply to your business.

In summary, “doing business in the EU” means specifically:

  • You market yourself to people living in European Union countries.
  • Your practice has a domain name from an EU country.
  • You create an ad campaign or website pages targeting people living in EU countries in their language.
  • You collect personal information from a consumer you have targeted that lives in an EU country.

Of course, most U.S. based therapists and coaches who own their own business are not marketing to people in Spain or other European countries. Rather, they keep their focus on their specific city or region for finding clients.

Yet, if you are a practitioner who has a niche clientele and who specifically markets to people in the EU, you need to familiarize yourself with these new rules.

Do You Need to Do Anything?

Obviously, the Internet has changed a lot in the last thirty years. How we use and share our personal data looks a lot different today than in the 1990s. Therefore, national and international regulations that govern these matters and help to better protect customers’ privacy and the security of their personal information will continuously change.

For that reason alone, you will and may have already received information from your website provider or from Google about Data Retention. These companies operate on a global scale—which obviously includes the EU.

Since the GDPR identifies IP addresses as “personal data” and Google Analytics, for example, uses IP addresses to calculate the number of unique visitors to your site, extra efforts are being made to be more transparent about how this data is used. In fact, through this effort, Google Analytics is enforcing a Data Retention Policy.

What do you need to do? – That depends upon the scope of your business and your usage of Google Analytics.

Within Google Analytics, under the “Admin” menu and the “Tracking Info” menu, there is a “Data Retention” menu item. To assure that you are in compliance with the GDPR, under this menu, you can adjust how long data from your users and/or customers is being retained.

However, as mentioned before, if you are a therapist or coach in the U.S. who is not marketing to EU countries or consumers, you shouldn’t have to worry about this. The notices from Google Analytics do not pertain to you and you can simply utilize the default settings on your Google account.

Fortunately, for 99% of the therapy and coaching business field in the U.S., the new policies of the GDPR will not be an issue.

Posted in: Marketing For Therapists

Leave a Comment (11) ↓

11 Comments

  1. Sharon Barnes April 18, 2018

    Hi Becky,
    Thanks – this is very helpful information. I am one of the few who do market worldwide, as I do online therapy/consultation, and have had clients in the EU and people there who have purchased my online course as well. Am I correct in my understanding of your blog post that the only thing I need to do is to adjust my Google analytics settings, or is there more that I also need to do?
    Thanks again!
    Sharon

    reply
    • Becky DeGrossa April 27, 2018

      Sharon,

      Anyone online could be seen to be “marketing worldwide” because once we’re online, we can be found by people all over. However, are you really trying to appeal to people in he EU? Are you talking to them about their unique issues? Are you running paid ads targeting those countries? Are you listing your rates in EU currency?

      We, too, have people that buy from us from the EU, but it is happenstance that they find us. We just have a site up and they find us through no effort on our side. For that reason, we are not doing anything differently that we were doing before. I’m not an attorney and can’t tell you what to do. I’m only telling you how we are interpreting the GDPR info we have read.

      reply
  2. MIchelle Farris April 23, 2018

    Hey Becky,
    Thank you SO much for writing this article! it’d the only one I’ve read so far that made any sense 🙂 So if we sell products and have an email list – does it still not apply to us? I don’t target Europe in ads or marketing but I think some on my list are in those countries. Any help would be appreciated.

    reply
  3. Becky DeGrossa April 27, 2018

    Again, I cannot give legal advice, Michelle, but my understanding of this is if you are just sitting in the US and doing your thing, and not marketing to EU countries, or including their currency on their site, or targeting them, specifically, you do not have to do anything differently.

    reply
    • Criss Ittermann June 20, 2018

      From what I can tell, that’s not correct.

      If you have people in the EU on your email list, and you don’t reasonably expect to only have local/US clients, then it applies to you and your customers. Lack of ads is not an exemption.

      That means no cookies on your website without express consent. It means you must have a privacy policy. Your emails must be explicit opt-in and the opt ins have to be recorded/tracked — no pre-checked boxes, etc.

      It means that basically your entire coaching practice has to follow the GDPR – explicit permission to keep records, etc. – (similar for protected health information in the US) for all information that could identify and stigmatize your customers. So their religion, race/ethnicity, gender status, disability, mental health issues, etc. are all protected information. As well as their other personally identifying information.

      If you only coach in-person in the US and have no phone clients then you’re probably OK. But coaches are usually global. This is a huge concern for our industry. You get a prospect phone call and grab a pen & paper and have to ask “Is it OK if I take notes while we talk?” and you need a YES to take notes, even to write their name down.

      What I ended up here for is I was trying to figure out whether hour tracking for certifications changed due to the GDPR. It should. They want identifying information about customers in a log — their name, address/contact info, dates of appointments & length of appointment. This is information we may be required to dump after a certain reasonable length of time in the GDPR, need express client permission to store, & need to disclose that we’re giving it to the certification organization. As a mental health coach, people with active diagnoses come to me for adjunct assistance while in therapy — but a list of who they are would be restricted by the GDPR. Those in the EU anyhow, but other countries may decide they like it and adopt it too. If I hand that information to a certifying body without all my permissions in place, it’s my liability.

      There’s some great information out there on why small business in the US is not exempted from the GDPR. Some companies have blocked their websites from the EU because of the GDPR — they don’t have their policies ready or don’t need their services to be seen in the EU. Like a NYC pizza parlor.

      reply
      • Becky DeGrossa June 30, 2018

        Hi Criss,

        Thanks for your comment. 90% of our readership are local therapists or coaches who DO reasonably expect to only have face to face folks as clients; no EU folks.

        Certainly for global coaches, GDPR is required.

        reply
  4. Edie Stone April 30, 2018

    Thanks!

    I will check this out with my Google son and see if he has any input.

    reply
  5. Judy Cantwell May 12, 2018

    I own the url http://www.crossculturecoach.london which defaults to my judycantwell.com. I assume I am affected? Even so, I don’t think I have anything to worry about?

    reply
    • Becky DeGrossa May 22, 2018

      If you have no clients in the EU this shouldn’t be an issue for you.

      reply
  6. Judy Herman May 24, 2018

    Thanks, Becky. Your article is helpful along with comments and your responses. Keep the the awesome work you’re doing!

    reply

Leave a Comment