Logo for Institute of Coaching Studies with teal and grey text next to a graphic of five coloured circles connected by lines, resembling a molecular structure.
Book a call

GDPR Audit For Coaches: What Data Are You Actually Collecting?

A man writing on a white board with sticky notes.

As coaches, we collect more client data than we might initially realise. From initial enquiry forms to session notes, payment details to progress assessments — the volume of personal information flowing through our coaching practice can be substantial. Yet many coaches operate without a clear understanding of exactly what data they’re collecting, where it’s stored, or how it’s being processed.

This lack of awareness isn’t just an oversight — it’s a GDPR compliance risk that could expose your coaching practice to significant penalties and, more importantly, damage the trust your clients place in you.

In this article, we will guide you through a comprehensive GDPR audit framework specifically designed for coaching practices. We’ll help you identify every piece of client data you collect, assess your current compliance status, and create an actionable plan to address any gaps.

Why Coaches Need a GDPR Audit

The General Data Protection Regulation applies to any coach who processes personal data of individuals in the EU — regardless of where your coaching practice is based. If you have even one client in Europe, or if you’re based in the UK (which retained GDPR post-Brexit), these regulations affect you.

The challenge for coaches is that we often collect data across multiple touchpoints without a systematic overview. A discovery call here, a coaching agreement there, session notes stored in various places — before you know it, personal data is scattered across your entire business ecosystem.

The key here is to approach your data practices with the same systematic thinking you bring to client work.

The Complete Coach Data Audit Framework

Let’s have a look at every area where client data might be hiding in your coaching practice.

Phase 1: Client Acquisition and Onboarding

Discovery Call Process

Start by examining your initial client contact procedures. Do you collect email addresses for scheduling discovery calls? What information do clients share during these conversations, and where do you record it?

Common data collection points include:

  • Contact forms on your website
  • Calendar booking systems (Calendly, Acuity, etc.)
  • Email correspondence
  • Discovery call notes
  • Chemistry session recordings (if applicable)

Coaching Agreements and Contracts

Your coaching agreements likely contain substantial personal information. Review what you collect during the contracting process:

  • Full names and contact details
  • Emergency contact information
  • Health disclosures or medical conditions
  • Professional background and current role
  • Goals and desired outcomes
  • Payment information and billing addresses

Phase 2: Session Management and Documentation

Session Notes and Records

This is often where coaches collect the most sensitive personal data. Your session documentation might include:

  • Detailed notes about personal circumstances
  • Family situations and relationships
  • Work challenges and colleague interactions
  • Mental health references
  • Financial information shared by clients
  • Progress assessments and evaluations

Recording and Transcription

If you record coaching sessions (with client consent), consider:

  • Where recordings are stored
  • Whether you use transcription services
  • How long recordings are retained
  • Who has access to these files

Phase 3: Business Operations and Administration

Payment Processing

Even if you use third-party payment processors, you might still collect:

  • Bank account details for direct transfers
  • Invoice addresses and company information
  • Payment history and outstanding amounts
  • Refund requests and related communications

Communication Platforms

Review all the ways you communicate with clients:

  • Email exchanges (including attachments)
  • WhatsApp or text messaging
  • Video conferencing platforms (Zoom, Teams, etc.)
  • Client portals or coaching platforms
  • Social media interactions

Marketing and Testimonials

Don’t overlook your marketing activities:

  • Newsletter subscriber information
  • Client testimonials and case studies
  • Photography from workshops or events
  • Social media posts featuring clients

The GDPR Audit Assessment Tool

For each data collection point you’ve identified, ask these critical questions:

Lawful Basis Assessment

  • What is your lawful basis for processing this data?
  • Do you have explicit consent where required?
  • Is the processing necessary for contract performance?
  • Are you relying on legitimate interests, and have you balanced these against client rights?

Data Minimisation Review

  • Is all the data you collect actually necessary?
  • Are you keeping information longer than needed?
  • Could you achieve the same coaching outcomes with less data?

Security and Access Evaluation

  • Where is this data stored physically and digitally?
  • Who has access to it?
  • How is it protected against unauthorised access?
  • Do you have backup and recovery procedures?

Client Rights Compliance

  • Can clients easily access their personal data?
  • Do you have procedures for data correction requests?
  • Can you delete client data upon request?
  • Do you have systems for data portability?

Creating Your Action Plan

Once you’ve completed your data audit, you’ll likely identify several areas requiring attention. We recommend prioritising your action plan based on risk level and implementation complexity.

High Priority Actions

  • Remove unnecessary data collection points
  • Implement proper security measures for sensitive information
  • Update privacy policies and client agreements
  • Establish data retention schedules

Medium Priority Actions

  • Create standardised consent procedures
  • Implement access request procedures
  • Train any team members on data protection
  • Review third-party processor agreements

Ongoing Monitoring

  • Schedule regular data audits (we suggest quarterly reviews)
  • Monitor new data collection practices as your business evolves
  • Stay updated on GDPR guidance for coaching practices

Common Compliance Gaps For Coaches

From our experience supporting coaches through GDPR compliance, these are the most frequent issues we encounter:

Over-collection of Information

Many coaches collect extensive personal information “just in case” it might be relevant later. Remember, GDPR requires data minimisation — you should only collect what you actually need for your coaching relationship.

Unclear Consent Mechanisms

Vague statements like “by booking this session, you agree to our terms” rarely meet GDPR’s standard for clear, specific consent. Your clients need to understand exactly what they’re agreeing to.

Inadequate Security Measures

Session notes stored in unencrypted documents, client information in unsecured email accounts, or coaching records saved to personal devices without proper protection.

Missing Data Retention Policies

Without clear policies on how long you keep client information, you risk holding personal data indefinitely — a clear GDPR violation.

Third-Party Processor Confusion

Many coaches don’t realise that using platforms like Zoom, Calendly, or email marketing services makes these companies data processors, requiring proper agreements and due diligence.

Your 30-Day GDPR Audit Schedule

Week 1: Data Mapping

Complete a comprehensive inventory of all client data collection points using the framework above. Don’t rush this stage — thoroughness here will save you significant effort later.

Week 2: Gap Analysis

Use the assessment tool to evaluate each data collection point against GDPR requirements. Document specific compliance gaps and potential risks.

Week 3: Priority Planning

Create your action plan, focusing first on high-risk areas like inadequate security or unnecessary data collection.

Week 4: Implementation Begin

Start implementing your highest-priority actions. This might include updating consent forms, improving data security, or deleting unnecessary client information.

Beyond Compliance: Building Client Trust

While GDPR compliance might seem like an administrative burden, approaching it systematically actually strengthens your coaching practice. Clients who trust you with their personal data are more likely to engage deeply in the coaching process.

Your data audit shouldn’t be a one-time exercise. As your coaching practice evolves — whether you’re adding new services, using different platforms, or expanding into new markets — your data practices must evolve too.

The key here is to embed data protection thinking into your regular business review processes, just as you would with any other aspect of professional practice.

That’s it. You now have a systematic approach to understanding exactly what client data flows through your coaching practice and how to ensure it’s handled in compliance with GDPR requirements.

__

Photo credit: 1981 Digital on Unsplash

RELATED POSTS