Hypno Growth Supervision Program

GDPR and Data Use Access Act (DUAA) for UK Hypnotherapy & Hypnotherapists

John Lowson
Apr 14, 2026By John Lowson

Hypnotherapy in 2026: Navigating the Data Use and Access Act (DUAA)

As a hypnotherapist, the relationship you have with your clients is built on a foundation of deep trust and confidentiality. However, that trust isn't just emotional—it's legal. With the Data Use and Access Act 2025 (DUAA) now in full effect, the landscape of UK data protection has shifted.

While the core of the 2018 UK GDPR remains, the DUAA 2025 introduces several refinements designed to make data use more practical while maintaining high standards. If you haven't updated your privacy policy recently, now is the time.

 Why the Change? Key Updates in DUAA 2025
The DUAA 2025 doesn't replace the GDPR; it "polishes" it. For therapists, three main changes stand out:

1. "Recognised Legitimate Interests"
Previously, if you wanted to process data under "Legitimate Interests," you had to perform a complex balancing test (an LIA) to prove your interests didn't outweigh the client's rights. The 2025 Act introduces Recognised Legitimate Interests. This is a "pre-approved" list of scenarios—including safeguarding vulnerable individuals—where the balancing test is no longer strictly required. This gives you more legal certainty when you need to act quickly to protect a client.

 2. A New Right to Complain
The 2025 amendments require you to make it easier for clients to complain directly to you before they go to the ICO. You must provide a clear path for complaints (like an electronic form or a dedicated email) and acknowledge any complaint within 30 days.

 3. Subject Access Request (SAR) Clarifications
The DUAA 2025 codifies that your search for a client’s data in response to an access request must be "reasonable and proportionate." It also introduces a "stop the clock" mechanism, allowing you to pause the 30-day response timer if you genuinely need more information from the client to fulfill their request.

As a hypnotherapist do I need ICO Registration?
If you are a hypnotherapist practicing in the UK and you store client information digitally (even just a name and phone number on a smartphone), you must register with the Information Commissioner’s Office (ICO).

Registration involves paying a data protection fee (usually around £40–£60 per year for sole traders). Failing to register is a criminal offence and can lead to significant fines. You can register or renew your status at ico.org.uk.

Next Steps for Your Practice
Update your Policy: Ensure your Privacy Policy specifically mentions the DUAA 2025 and the new safeguarding legal basis.

Check your Security: Ensure your "Technical and Organisational Measures" (like biometric locks on your tablet) are accurately described.

Display your ICO Number: Transparency builds trust. Put your registration number on your website and in your policy.

Click Here for a downloadable template of a 2018 GDPR + 2025 DUAA compliant Policy for a UK Hypnotherapy practitioner / Hypnotherapist 

Disclaimer
This article and the provided policy template are for informational purposes only and do not constitute legal advice. Data protection laws are complex and fact-specific. If you require further clarification or have a complex case, please contact the Information Commissioner's Office (ICO), your professional insurance provider (such as Holistic Insurance or Oxygen), or a qualified GDPR legal specialist.