GDPR for psychology centers: practical checklist of accesses, backups, providers and breaches

The GDPR has been in force for years, but in many psychology centers it is still a pending issue. There is good will, some signed document and the feeling that “more or less it's done”. The problem appears when an inspection, a security breach or a patient complaint arrives.

This checklist is designed for centers that want to have the GDPR truly operational, not just on paper. It is organized into four blocks: accesses, backups, providers and breaches. With an afternoon and the team involved, a lot of progress can be made.

1. Access: who enters, to what and with what credentials

Access control is the basis of any data protection policy. In a center, this means knowing at all times who have access to what information and with what level of permissions.

Access checklist:

• Each member of the team has their own credentials. Sharing a username and password between several professionals makes traceability impossible and is a direct vulnerability.
• Permissions are assigned by role: administrative staff access the operational part, therapists access their patients' records, management access the global vision. More detail in the post about medical history and permissions by role.
• There is a record of registrations and cancellations of access. When someone leaves the center, their credentials are deactivated that same day.
• Passwords meet minimum security criteria and are regularly renewed.
• Remote access, if any, is through secure channels.

2. Backups: Information exists as long as there is a copy

A security breach or technical failure can leave a facility without access to years of medical history. The backup policy is the network that prevents this.

Backup checklist:

• Backups are made automatically and with a defined frequency, at least daily for active clinical information.
• The copies are stored somewhere other than the main server, either in the cloud or on a separate physical device.
• Restoration tests are carried out on a regular basis. A copy that has never been tested may not work when needed.
• There is an identified person responsible for supervising that the copies are made correctly.
• The retention period for backups is defined and is consistent with the legal periods for keeping medical records.

3. Providers: the matrix that many centers do not have

Any external company that accesses patient data at the center is a data processor under the GDPR. This includes the management software, the video call platform, the email service, the management service, the cleaning service if you access spaces with documentation, and any other provider with access to personal information.

With each of them there must be a contract for ordering the treatment. Without that contract, the center is transferring data without legal coverage.

The supplier matrix is a simple table that collects, for each supplier: what data it handles, for what purpose, where it stores it and if the order contract has been signed. Keeping it up to date allows us to know at all times who the center shares data with and under what conditions.

Provider checklist:

• There is an up-to-date list of all providers with access to personal data.
• Each provider has a signed contract to order the treatment.
• Providers that store data outside the EU have the additional guarantees required by the GDPR.
• When you cancel a supplier, it is verified that they delete or return the data as agreed.
• The clinical management software complies with the GDPR and has its own signed order contract. If you use Eholo, this point is covered from day one.

4. Consent: The Basis of Treatment

Without signed informed consent, the processing of a patient's data has no legal basis. In a center with several therapists, managing this manually creates gaps.

Consent must be specific, informed and verifiable. This means that the patient knows exactly what data is collected, what it is used for and who manages it, and that the center can prove that they signed it and when.

For online therapy, in-person consent requires an additional specific consent that covers the platform used, the conditions of the session and what happens with the recording, if any. More detail in the article on informed consent for psychologists.

Checklist of consents:

• All active patients have signed and archived informed consent.
• Patients who do online therapy have specific consent for that modality.
• Consents are linked to the patient's record and are immediately retrievable.
• There is a defined process for collecting consent from new patients before the first session.

Eholo allows you to manage digital consents and download one informed consent template adapted for psychologists.

5. Security breaches: having the protocol before you need it

A security breach is any incident that compromises the confidentiality, integrity, or availability of personal data. It can be unauthorized access, an email sent to the wrong recipient, a stolen device, or a computer attack.

The RGPD requires the notification of breaches that pose risks to those affected to the Spanish Data Protection Agency within a maximum period of 72 hours from the moment they become aware of it. Having the protocol prepared in advance is what makes it possible to meet that deadline.

Gap checklist:

• There is a written protocol that defines what is considered a breach, who manages it and how it is reported.
• The team knows who to report an incident to immediately.
• There is a record of incidents, even if they are minor, in order to demonstrate diligence before an inspection.
• The data controller is aware of the procedure for notifying the AEPD.

If the center uses artificial intelligence tools for clinical registration, the specific privacy implications should also be reviewed. Eholo has published information about security and privacy with artificial intelligence applied to psychology.

The GDPR is a habit

Most of the items in this checklist require an initial decision and configuration. Once up and running, maintenance is light: reviewing the array of providers when a new one comes in, disabling access when someone leaves the computer, checking that the backups are working.

To see how Eholo manages the center's security and documentation, Here you can see a demo of clinical history and patients.