GDPR for Small Holistic Businesses

GDPR for Small Holistic Businesses

The new General Data Protection Regulation (GDPR) is coming into effect here in the UK on 28th May 2018. Even if you are a small business similar to ours you need to be aware of the changes which are occurring and take some action.

Please don’t panic – there is still plenty of time for you to familiarise yourself with everything you need to know about it. This article should help.

Before you read on I want to make clear that I am NOT an expert on the matter, so please refrain from asking me any questions. Those are best posed to the Information Commissioner’s Office (ICO) directly. Their contact information can be found below. They are very friendly and helpful!
However, you may find some useful guidance and information in what is written here.

This blog is different from the usual information I like to share. The reason for this is that this topic seems to cause much confusion, fear and frustration amongst some of the people I know. Also, there are some who are ready to cash in on this mayhem by charging people large amounts of money for something that is actually quite easy to understand and implement – once you put your mind to it.

My husband Marcus and I both run small holistic businesses. I run Crystal Meditation Groups, Classes and Workshops. I am also in partnership with my husband Marcus who – to put it simply – facilitates Reiki and other healing to individual clients. He also teaches Tai Chi classes and runs some workshops.

If your business operates on similar lines to what we do, then you may find the following information useful. Otherwise, the best thing for you is to ring the ICO helpline yourself to receive the information that is most relevant to you.
They are very friendly, helpful and amazingly, I got to speak to a young assistant who was very familiar with the type of work Marcus and I do. Wonderful!

The ICO has a section and helpline dedicated for small businesses. The number is: 0303 123 1113, select option 4 to be diverted to staff who can offer you support. Alternatively, follow this link to get to the relevant section on their website:

This is how I understand what is required under the new GDPR rules:

If you are a small business, a written privacy policy is good practice but is strictly speaking not required!

However, what is required is that you need to tell your customers / clients if you hold information about them, what that information is, and what you are planning to do with it.

It makes sense for this information to be recorded, alternatively, you could take your clients through this in groups or on an individual basis (for example when they fill in a client consent form or health questionnaire, or when they book onto a workshop).

It must be easy for the client to request the removal of their information from your records unless you are otherwise required to keep that information. An example would be that your insurance policy or your professional membership body requires you to keep hold of client records for several years in case of a potential future claim.
If this is the case then you can tell your client that there is good reason for you to keep their information. Do check with your insurance and your professional body regarding this.

Any security breaches, e.g. lost / stolen client consent forms, must be reported to the people involved straight away. In some instances this may also need to be reported to the ICO. A reasonable strategy to recover the information should also be in place.
For example, if you work in a clinic and you left your folder containing client records, your strategy could be to ring the clinic to see if the folder is still there and then ask them to store it in a secure place until you retrieve it. Your clients should be informed about this incident and the potential that someone else may have accessed their personal information.

The whole GDPR is about keeping your clients and customers informed about what information you hold about them, how you use that information and how secure your storage of that information is. It also gives your clients / customers the right to both access that information and the right to ask you to delete the information, or parts of it, unless the nature of your business requires you to keep the information.

By the time you explain all of this to your customers you may as well put the above into writing and publish this as a privacy notice on your website or customer information pack.

Here are some useful pointers for you to consider when you write your privacy policy:

Do you use Google Analytics for your website? If so, let people know that you do.

Does your website use cookies? You may not be aware that it does. The link below provides a free check:

If your website does use cookies – tell your audience.

Do you send out a newsletter, if so, do you use a 3rd party provider such as Mailchimp? Do customers actively opt-in and is it easy for them to unsubscribe?

Does your website provider collect any data in order to provide you with some statistics, such as which country the people who visit your site live in etc.?

Do you use social media interfaces or another company who runs your social media for you?

What information do you collect when a client contacts you via phone or email?

Do you keep lists of workshop or group/class attendees?

Do you keep client health record forms? Where do you store them and how secure is that storage? How do you use them and are they confidential?

What is your procedure if a client asks to be removed from your records?

What is your procedure if there has been a breach of security, i.e. someone else gained access

Here are some useful links to the ICO website for you to check:

Find out if you need to REGISTER with the ICO – here is an online self-assessment that took me less than a minute to complete.
This registration is usually needed for larger organisations who store sensitive data electronically rather than just on paper.

Here is a really useful link for a micro assessment to see if you need to comply with the new GDPR rules.
You can skip this one if you like, as this will flag up that you DO need to comply with the new regulations unless you don’t keep any client records at all. (I have tried several different scenarios)

GDPR: 12 steps to take now – a good read 😉

Small organisations – privacy notices. Again, a good read ;-). If you are planning to write your own privacy notice then this is a useful source of information. Then again, you may wish to skip to the section where it asks the questions What, Who, How, Why etc. as this can form the foundation of your privacy notice.

Examples of good and bad privacy notices and the reasons why. This is worth looking at to give you clarity.

If you are already complying with the current Data Protection Act 1989 then you only need to build on some of what you already do in order to comply with the new regulations.

Personally I welcome the GDPR as I may well be one of the few people who bothers to read ALL the information provided on forms I am about to sign. To me the GDPR mean that this information should now be brief, simple and easy to understand. Hurrah!
GDPR Small Holistic Business

Should the above information completely mind-boggle you, and your business is of a similar nature to ours, then you could always wait until Marcus and I have completed and published our own privacy policy.
My promise to you is that our privacy policy will not be copyrighted BUT you will need to appreciate that we may get it wrong AND that it might not fit the nature of your own business.

Our main website is

In my personal opinion the only way the ICO will be able to find out if a small business which operates along similar lines to ours is in breach of any of these new rules is by someone reporting that something has gone wrong.
Having said this they may well spot check businesses every now and then.

Please remember – I am not an expert so it’s no good asking me any questions on the subject.

If you do have questions ring the nice people at the ICO on: 0303 123 1113, select option 4 to be diverted to staff who can offer you support. Alternatively, follow this link to get to the relevant section on their website:

Hmm, which Crystals to suggest for this? I LOVE using Fluorite whenever I need to focus and have an organised Mind. Maybe this will work for you too : )!

Working with Crystals is fun and creative – have a go!

My experiences are my own and your experiences are yours and even though we are connected and part of the ONE we are allowed to feel different about things.
Always go with what feels good and true for you as I go with what feels good and true for me.

If you would like to belong to a group of like-minded individuals then please get in touch.

We love to hear from you:

In Love, Light, Peace and Truth

Karin xxxx