Why a business risk assessment is important for your practice

Why a business risk assessment is important for your practice

Cyber security experts Mel Wilson and Dave Holden recently gave an informative presentation to ACTO members as to why a business risk assessment is important for counsellors and therapists.

Mel and Dave emphasised that risk assessment is about making choices based on the level of risk we are comfortable with, and how we are operating our businesses/private practices.

We may need to include safeguarding, data breaches, supporting overseas clients, our infrastructure (data processing/privacy laws) as well as our clients and what type of environment or culture they are working within.   The main question to ask ourselves regarding clients is ‘who are we interacting with’ and what do we know about them and their environment.

In assessing risks we are not aiming to eliminate all risks, but to find the risks that we are comfortable with, and those we are not.  

Risk assessment can be broken down into three main areas:

  • people
  • processes
  • technology


If you are an ACTO member, you can click onto a recording of the webinar on the ACTO website Members Area. During the webinar, Mel and Dave explained how to assess risks in each of these areas (people, processes & technology) together with tips on social media, screen sharing and more.

To find out how to join ACTO, please get in touch.


Data Cleansing to comply with GDPR – Private Practice Hub

General Data Protection Regulation (GDPR) compliance is important to us. But what is GDPR? In short, it is a legal framework which sets out guidelines for collecting, processing and storing any personal information about others obtained during the course of running your business. GDPR was brought into effect in May 2018 to protect the privacy and security of individuals personal and sensitive data.

It is a very broad subject in itself and certainly not one that we will attempt summarising here. For the purpose of this article, we are going to explore some key points around keeping data clean (by way of data management) for GDPR purposes.

As a professional practitioner there’s a high possibility any paper and digital records you create and use in your day to day practice will contain personal client data. For a start you have client consultation notes, invoices, diary appointments, handwritten notes, treatment plans, referrals … the list goes on and all of which most probably have some kind of personal identifiable information relating to your clients such as email address, tel no, health, sexual orientation, religion etc. and therefore GDPR will apply.

During times of change, many therapists will be considering different ways of working or even just taking the time to review the systems and processes they currently have in place. With GDPR in mind, here are a few of the measures you can put into place to help get you started:-

  1. Refresh or familiarise yourself with GDPR – take a look at some basic concepts from the information Commissioner’s Office (ICO)
  2. Audit the data you have – carry out a quick review of what data you hold and where you keep it
  3. Review the information you hold – data should only be collected for specified, explicit or legitimate purposes and only be processed in a manner compatible with those purposes
  4. Organise – when gathering information, some data will need to be kept for different periods of time so consider intended use, legal requirements and how easy or not it will be to keep any relevant information up to date etc. and whether any such data can be anonymised
  5. Storage – any relevant data gathered should be held for a legitimate period of time (no longer and no shorter) for the right purposes, in a safe and secure place … this doesn’t just mean plugging in the shredder and fueling it with data rich records!
  6. Implement a data protection policy to ensure and demonstrate compliance – ensure to outline the roles and responsibilities for anyone handling (processing) the data from collecting, storing, securing, updating and disposing of data
  7. Consider using a secure practice management system, designed and built with the function to help practitioners comply with GDPR

The Information Commissioner’s Office (ICO) has helpful tools and checklists to help improve your knowledge and understanding of data protection compliance which will help to underpin the information in this article.

If you would like more business advice to support you in running a private practice therapy business, Private Practice Hub is a leading business advice website packed full of free resources.

Accessibility Toolbar