Rachel Clarke

Right, deep breath. We need to have a quick chat about data protection. I know — I lost you already, didn’t I?

Stay with me. Because here’s the thing: in February 2026, the rules around GDPR in the UK got a meaningful update, and the fines got a lot scarier. If you run an aesthetics clinic, a counselling practice, a therapy room, a wellness studio, or anything else where you collect personal information about clients, this affects you.

The good news? You don’t need a law degree. You just need to know what’s changed and what to do about it.

What actually happened

The Data (Use and Access) Act 2025 got Royal Assent last June. Most of the data protection bits came into force on the 5th of February 2026. The Act doesn’t tear up UK GDPR — it tweaks it. It tries to make data sharing a bit easier for some sectors, and it clarifies a few things that were causing arguments.

But there’s one headline that should grab the attention of every small business owner: the maximum fine under the Privacy and Electronic Communications Regulations (PECR) went from £500,000 to £17.5 million, or 4% of global turnover. Whichever is higher.

Now, the ICO is not about to drop a £17 million fine on a one-person clinic in Bedford. That’s not how it works. But the direction of travel is clear — they’re taking this seriously, and they’ve got teeth.

Why it matters more for wellbeing and aesthetics

The data you handle is not normal data. It’s “special category” data. That covers anything about a person’s physical or mental health, their treatments, their medications, their concerns about how they look or feel.

This means you can’t just rely on a general lawful basis for collecting it. You need a clear reason under Article 6 of UK GDPR AND a specific condition under Article 9 (which covers special category data). For most clinic-style businesses, that means explicit consent — properly recorded, easy to withdraw, and not buried in the small print.

If you’ve never thought about this in detail, you’re not alone. And you’re not in trouble. But it’s worth a tidy-up.

Your quick 2026 spring clean checklist

This isn’t legal advice — for anything complex, talk to a proper data protection professional. But here are the basics every clinic owner should have nailed:

• Are you registered with the ICO and paying your annual fee? If you process client data electronically (and you do), you need to be. It’s £40–£60 a year for most small businesses. Skipping it is asking for trouble.
• Do you have a privacy notice on your website that actually explains what you collect, why, how long you keep it, and who you share it with? Not a copy-paste template from 2018 — something current, in plain English.
• When you take a new client, is your consent form clear about what you’ll do with their data? Bonus points if it covers things like reminder texts, marketing emails, and sharing data with insurers or other practitioners.
• Where is your client data stored? If it’s in a folder on your laptop with the password “Summer2024,” we need to have a different conversation. Use proper, encrypted, GDPR-friendly tools — most decent clinic software is built with this in mind.
• Do you have a process for when someone asks for their data, or asks you to delete it? You’re legally required to respond to subject access requests within a month. Knowing what you’d actually do when one lands is half the battle.

The bit nobody tells you

Most data breaches in small businesses are not the result of glamorous cyber attacks. They’re the result of a lost laptop, an email sent to the wrong person, a paper diary left in a café, or a former team member who still has access to the booking system three months after leaving.

The boring stuff is what gets you. So the boring stuff is what you fix first.

The takeaway

GDPR isn’t trying to ruin your business. It exists because the data you hold matters — to your clients, to their families, and to you. Treat it like the asset it is, and you’ll never have to lie awake worrying about it.

And if all of this makes you want to lie down in a darkened room? That’s what people like me are here for. Getting your data house in order is exactly the kind of behind-the-scenes work that takes a weight off your shoulders. Drop me a line.