What the GDPR means for my work as a therapist

Unless you have been living on the moon or down a very deep hole for the last months, you will undoubtedly know that by Friday (25/05/18) the way companies manage your data (names, addresses – email and actual, mobile phone numbers, for example) will have changed rather dramatically (GDPR).  As a psychotherapist working in private practice I work within a ‘small company’, meaning GDPR applies to me and the way I manage data.  So, I have recently been reviewing how I manage your data, so that I comply with GDPR.

In this webpage I want to introduce (in an informal, hopefully engaging way) a little bit about these changes. It’s not meant to be a in depth guide - current clients of mine will receive the detailed ‘official’ version of this in the very near future (I am also very happy to share this with you if it is part of your decision-making process about whether to contact me as a prospective client).  Rather, this webpage aims to give you insight into some of the decisions I have made about data protection, and something of my thought processes around it.

Creating security facilitates good therapy

As a psychotherapist I have always been acutely aware of the need for privacy, confidentiality and the sense of security in the work I do with clients.  GDPR doesn’t change this but adds another layer.  Ultimately GDPR is about security – something that is close to my heart as an attachment-based therapist.  If we don’t feel safe, all our energy goes into maintaining a vigilance of our environment, rather than exploring it (via play in children, and exploration, letting our mind wonder and the freedom to engage with another human being in a new way within therapy).  Exploration facilitates optimal growth, development and, in therapy, healing. 

But feeling safe and secure is as important for me, the therapist, as it is for my clients.  If I don’t feel secure in my work I don’t work optimally.  I am talking as much about feeling supported to manage the (sometimes) challenging work of therapy as much as physical safety.  It is for this reason that I require GP details of prospective clients before I agree to work with them.  I feel strongly that knowing I can contact a GP if the need arises helps me feel secure to fully enter into the work.  In the vast majority of cases I never need to contact a client’s GP, and if I do, it is done with a clients’ knowledge, involvement and consent (there are exceptions – see information on confidentiality on Framework for Therapy page ). 

Requiring GP details is just one example of my rationale behind the data I ask for.  If you want to ask anything else about my rationale behind my data protection policy, please do not hesitate to ask.

Fort Knox at the front door…

GDPR has made me reflect on the ‘front door’ ways I communicate with clients.  Email, text message and video messaging are pretty much the sole way I communicate with clients (outside of sessions), and vice versa.  But the majority (perhaps all) of the standard email providers do not encrypt emails, meaning that they are not secure ways to communicate.  The same is true for text messages.  WhatsApp, while encrypted, is not secure because it’s WhatsApp who do the encrypting, and so could theoretically ‘unencrypt’ data (and let’s be clear, data = your and my messages, video calls and so on).  Plus, it’s owned by Facebook, who don’t have a great track record for data protection!

So, I am moving over to using encrypted forms of communication via a different email provider (ProtonMail), text message service (Signal) and video conferencing service (Zoom).  All of these satisfy my (and my more technically minded/aware colleagues) requirements for transferring data safely over the internet.  All these systems are free and easy to download – but require the message receiver to be using them for the system to be safe.  As a result, I will require clients to adopt these facilities too.  Let’s face it, after the end of this week it’s likely many people will be using these sort of facilities, so they’re unlikely to gather dust on your phone and/or computer.

…but the back door’s wide open!

I have covered the security of the direct ways people communicate, but there are different ‘back door’ ways data is shared, sometimes outside of our conscious awareness.  Think of how your phone might be set up to add engagements (including a session with Helen Cordery – a quick look at Google will tell anyone what I do) to your calendar without you asking it to, as a prime example. GDPR has compelled me to think about as many ways like this that your data is at risk of being compromised, and ways around this.  (By the way, I use an old-fashioned paper diary, listing clients by their initials, not names)

Some are pretty basic, such as not looking at my emails when crammed onto a busy train in the morning.  Other are a little less obvious.  For instance, whilst a passcode and fingerprint recognition make my phone very secure, I realised that notifications override these, showing the first line of a text (for example) as well as the sender, if my phone is at rest.  As a result, I have changed my notifications so that I only know that I have a new message, not its content, and again identify clients on my phone by initials, not by name.

I imagine that GDPR will make us all far more aware of how data ‘leaks’, and that whilst I have tried to be as comprehensive as possible, my data protection policy is more a ‘work in progress’ rather than the finished article. 

And finally…

You might be feeling somewhat frustrated that this GDPR business is getting in the way of therapy.  I completely understand where you are coming from on that one – it’s taken me a while to get my head round it myself! However, I think rather than being a frustrating diversion it could become a valuable way to understand ourselves and the way we relate to the world, especially with the lens of attachment-based psychoanalytic psychotherapy to view it through. And that can’t be a bad thing!