Logo for Institute of Coaching Studies with teal and grey text next to a graphic of five coloured circles connected by lines, resembling a molecular structure.
Book a call

GDPR For Coaches: Essential Data Protection Rules You Must Follow

The word "DATA" with an asterisk is written in a pixelated style on a window. A blurred building facade is visible through the glass. Industrial feel.

If you’re a coach working with clients in the EU or UK, you’ve likely heard about GDPR (General Data Protection Regulation). What you might not know is exactly what this means for your coaching practice — and that’s completely understandable.

The world of data protection can feel overwhelming, especially when legal jargon meets the practical realities of building rapport, taking notes, and supporting clients through their development journey. Yet as coaches, we handle deeply personal information every single day, making data protection not just a legal requirement but an ethical imperative.

In this article, we will explore the essential GDPR principles that apply to coaching practices, break down the practical steps you need to take, and help you build confidence in your data protection approach.

What Is GDPR and Why It Matters for Coaches

GDPR stands for General Data Protection Regulation, and it applies to any organisation that processes personal data of individuals in the European Union. If you’re based in the UK, similar rules apply under UK GDPR following Brexit.

As a coach, you process personal data constantly. This includes:

  • Client names and contact details
  • Session notes and coaching records
  • Payment information
  • Personal information shared during sessions
  • Email correspondence
  • Calendar bookings and scheduling data

The key here is to recognise that any information relating to an identified or identifiable individual constitutes personal data. This means virtually everything you collect about your clients falls under data protection rules.

The Six GDPR Principles Every Coach Must Understand

GDPR is built on six fundamental principles that govern how you collect, use, and store client data:

1. Lawfulness, Fairness and Transparency

You must have a valid legal reason (called a “lawful basis”) for processing personal data, be fair in how you use it, and be transparent about what you’re doing.

For coaches, the most common lawful basis is legitimate interests — you have a legitimate business interest in processing client data to deliver coaching services. However, you must balance this against your client’s privacy rights.

2. Purpose Limitation

You can only collect and use personal data for specific, explicit purposes that you’ve clearly communicated to clients. You cannot suddenly decide to use session notes for marketing research without obtaining fresh consent.

3. Data Minimisation

Collect only the personal data you actually need to deliver coaching services. If you don’t need your client’s date of birth to provide effective coaching, don’t ask for it.

4. Accuracy

Keep client information up to date and accurate. This means regularly reviewing and updating contact details, and correcting any errors in your records.

5. Storage Limitation

Don’t keep personal data longer than necessary. Establish clear retention periods — for example, you might keep coaching records for seven years after the coaching relationship ends, then securely delete them.

6. Integrity and Confidentiality

Protect personal data against unauthorised access, loss, or damage. This covers everything from password-protecting your files to ensuring your laptop screen isn’t visible in coffee shops.

Understanding Consent in Coaching

Many coaches assume they need explicit consent for everything they do with client data. Actually, consent is just one of six possible lawful bases under GDPR, and it’s often not the most appropriate one for coaching relationships.

When consent works well:

  • Marketing communications
  • Recording coaching sessions
  • Sharing anonymised case studies
  • Photography for testimonials

When legitimate interests is more appropriate:

  • Taking session notes
  • Processing payments
  • Sending appointment confirmations
  • Maintaining coaching records

The distinction matters because consent must be freely given, specific, informed, and easily withdrawable. If a client withdraws consent for you to keep session notes, your entire coaching relationship becomes unworkable — which suggests consent wasn’t the right lawful basis in the first place.

Essential Data Subject Rights Coaches Must Respect

GDPR grants individuals eight key rights over their personal data. As a coach, you need to understand these rights and be prepared to respond to requests:

Right of Access

Clients can request a copy of all personal data you hold about them. You must provide this information free of charge within one month.

Right to Rectification

Clients can ask you to correct inaccurate or incomplete personal data. Update your records promptly when requested.

Right to Erasure (“Right to be Forgotten”)

In certain circumstances, clients can request deletion of their personal data. However, you may have legitimate reasons to retain some information (such as for legal or accounting purposes).

Right to Restrict Processing

Clients can ask you to limit how you use their data while disputes about accuracy or lawfulness are resolved.

Right to Data Portability

Clients can request their personal data in a structured, commonly used format so they can transfer it to another service provider.

Right to Object

Clients can object to processing based on legitimate interests (including direct marketing). You must stop processing unless you can demonstrate compelling legitimate grounds.

Rights Related to Automated Decision-Making

Most coaches don’t use automated decision-making systems, but if you do, clients have rights around this processing.

Right to Withdraw Consent

Where processing is based on consent, clients can withdraw this consent at any time.

Practical GDPR Compliance Steps for Coaches

Let’s translate these principles into actionable steps for your coaching practice:

1. Create a Privacy Notice

Develop a clear, concise privacy notice that explains:

  • What personal data you collect and why
  • Your lawful basis for processing
  • How long you retain data
  • Who you might share data with
  • Client rights under GDPR
  • How to contact you with data protection queries

Make this available on your website and provide it to new clients before you start collecting their data.

2. Implement Data Security Measures

Essential security steps:

  • Use strong, unique passwords for all systems
  • Enable two-factor authentication where possible
  • Encrypt sensitive files and emails
  • Keep software and security systems updated
  • Use secure, password-protected video calling platforms
  • Lock your devices when not in use
  • Be mindful of your surroundings when handling client data

3. Establish Data Retention Policies

Decide how long you’ll keep different types of data:

  • Coaching records: Often 6-7 years after the relationship ends
  • Financial records: Follow your local accounting requirements
  • Marketing data: Review annually and delete inactive contacts
  • Email correspondence: Apply the same retention period as coaching records

Document these decisions and set calendar reminders to review and delete data when retention periods expire.

4. Set Up Processes for Client Rights Requests

Create simple procedures for handling data subject rights requests:

  • Designate yourself (or someone in your organisation) as the point of contact
  • Develop templates for responding to common requests
  • Set up systems to locate and extract client data quickly
  • Establish verification procedures to confirm the identity of requesters

5. Review Your Data Sharing Practices

Consider who else might access client data:

  • Supervision or mentor coaching: Ensure supervisors understand their GDPR obligations
  • Technical support: Choose providers who offer appropriate data protection guarantees
  • Subcontractors: Any coach or professional you refer clients to should also be GDPR compliant
  • Professional bodies: Understand what data you might need to share for complaints or disciplinary processes

Common GDPR Mistakes Coaches Make

Mistake 1: Over-relying on Consent

Using consent as your default lawful basis when legitimate interests would be more appropriate, creating unnecessary complexity.

Mistake 2: Collecting Excessive Data

Asking for information you don’t actually need, violating the data minimisation principle.

Mistake 3: Informal Data Sharing

Casually discussing clients with other coaches without proper safeguards or legal basis.

Mistake 4: Poor Password Practices

Using weak passwords or the same password across multiple platforms, creating security vulnerabilities.

Mistake 5: Indefinite Data Retention

Keeping client data “just in case” without clear retention periods or regular review processes.

Mistake 6: Inadequate Privacy Notices

Using generic templates that don’t reflect your actual data processing activities.

Building GDPR Compliance into Your Coaching Practice

The most effective approach to GDPR compliance is building good data protection practices into your everyday coaching routines:

During client onboarding:

  • Provide your privacy notice
  • Explain how you’ll use their data
  • Obtain any necessary consents (e.g., for recording sessions)
  • Set up secure communication channels

During ongoing coaching:

  • Take only necessary notes
  • Store data securely
  • Be mindful of confidentiality in all settings
  • Regularly review and update client information

When relationships end:

  • Confirm ongoing data storage needs
  • Schedule data deletion according to retention policies
  • Provide final data summaries if requested
  • Securely destroy any physical notes or documents

GDPR for coaches doesn’t have to be overwhelming. The key here is to start with the basics: understand what data you collect, why you need it, and how you’ll protect it. Build simple, practical systems that work for your coaching practice, and remember that good data protection is fundamentally about respecting your clients.

Start by reviewing your current practices against the principles we’ve outlined. Identify any gaps, and address them systematically. Most importantly, don’t let GDPR concerns prevent you from delivering excellent coaching — with the right approach, compliance and great coaching go hand in hand.

_

References:

  • European Commission. (2018). General Data Protection Regulation (EU) 2016/679.
  • Information Commissioner’s Office. (2018). Guide to the General Data Protection Regulation (GDPR).
  • UK Government. (2018). Data Protection Act 2018.

Photo credit: Photo by Claudio Schwarz on Unsplash 

RELATED POSTS