Business Operations

GDPR for Coaches: What You Need to Know About Client Data

9 min read

A laptop on a clean desk with a coffee cup and soft natural light from a window in a modern home office

GDPR applies to any coach with EU clients, regardless of where the coach is based. Here's what you actually need to do and what you can stop worrying about.

TL;DR

  • GDPR applies to any coach who handles personal data of people in the EU, regardless of where the coach lives.
  • The core requirements: have a privacy policy, get consent before marketing emails, and handle client data responsibly.
  • Session notes, email addresses, and contact form submissions all count as "personal data" under GDPR.
  • Violations by small coaching practices are rare, but non-compliance creates real trust problems with EU clients.
  • This article is general information, not legal advice. Consult a qualified attorney or GDPR specialist for your specific situation.

GDPR is one of those topics that makes coaches' eyes glaze over. It sounds like enterprise-level compliance, something for corporations with legal departments, not a solo coach running a virtual practice.

But GDPR for coaches is more relevant than most people assume, and more manageable than the jargon suggests. If you have any clients in the European Union, or if EU residents can find and sign up through your website, GDPR applies to you. Your geography doesn't matter. Theirs does.

The good news: for a typical solo coaching practice, compliance is a few hours of setup, not a legal project. Here's what actually matters.

What GDPR Is and Why It Applies to Coaches

The General Data Protection Regulation (GDPR) is an EU law that came into effect in May 2018. It governs how organizations collect, store, use, and delete personal data belonging to EU residents.

"Personal data" is defined broadly: any information that can identify a living person. Name, email address, phone number, IP address, session notes, intake form responses, payment information. Nearly everything you collect from clients qualifies.

GDPR has extraterritorial reach. You don't have to be based in the EU for it to apply. If you're a coach based in Toronto or Austin and you work with clients in Germany, France, or anywhere in the EU, GDPR applies to how you handle those clients' data.

The regulation gives EU residents specific rights over their data:

  • The right to know what data you hold about them
  • The right to access their data
  • The right to correct inaccurate data
  • The right to have their data deleted ("right to be forgotten")
  • The right to object to how their data is being used
  • The right to data portability (receive their data in a usable format)

Your job as a coach is to be able to respond to these requests if a client makes them, and to handle data in ways that are transparent, lawful, and minimal.

The GDPR Principles That Actually Matter for Coaches

GDPR is built on several core principles. Most are common sense. Here are the ones most relevant to a coaching practice:

Lawful basis. You need a legitimate reason to process someone's data. For coaching clients, this is usually "contractual necessity" (you need their data to deliver the coaching service) or "consent" (they explicitly agreed to receive your newsletter). Both are valid. The key is that you can point to which one applies.

Purpose limitation. Collect data for specific purposes and don't use it for other things. If a client gives you their email to receive session reminders, you don't then add them to your marketing list without separate consent.

Data minimization. Only collect what you actually need. Don't ask for a client's home address in your intake form if you never see clients in person and don't need it for billing. The less data you collect, the less you have to protect.

Storage limitation. Don't keep data indefinitely. Define how long you'll keep client records and delete them when that period is up. Many coaches default to "I'll keep client files for X years after the coaching relationship ends" and stick to it.

Security. Protect data from unauthorized access. Use strong passwords, two-factor authentication, and encrypted tools. Don't store sensitive client information in unsecured spreadsheets or public cloud folders with default sharing settings.

What You Actually Need to Do

For a typical solo coaching practice, GDPR compliance comes down to a handful of practical steps:

1. Have a Privacy Policy on Your Website

This is the most visible requirement. Your privacy policy should explain:

  • What data you collect (names, email addresses, payment information, session notes)
  • Why you collect it (to provide coaching services, send newsletters, etc.)
  • How long you keep it
  • Who you share it with (payment processors, email marketing tools, scheduling software)
  • How EU residents can exercise their rights (contact you to request data access, deletion, etc.)

Your policy doesn't have to be long. A clear 500-word document written in plain language is better than a dense 5,000-word legalese document nobody reads. There are GDPR-specific privacy policy generators that can create a starting point you adapt.

2. Get Explicit Consent for Marketing Communications

If someone fills out a contact form on your website or downloads a free resource and you add them to your email list, you need explicit consent for that. Pre-checked boxes don't count under GDPR. An unchecked "Yes, add me to your list" checkbox that the person actively checks does.

If you use an email marketing tool (Mailchimp, ConvertKit, ActiveCampaign), most of these have GDPR compliance features built in, including consent checkboxes and unsubscribe links. Use them.

The rule is simple: if someone hasn't explicitly consented to hear from you, don't market to them.

3. Respond to Data Requests

If an EU-based client emails you saying "I want a copy of all the data you hold about me" or "please delete my information," you have obligations:

All-in-one coaching platform

Stop juggling tools. Start coaching.

Kaido brings your sessions, clients, programs, and payments together — so you can focus on coaching.

See how it works →
  • Right of access: Provide a copy of their data within 30 days.
  • Right to erasure: Delete their data within 30 days, subject to exceptions (like data you're legally required to keep for tax purposes).

For a solo coach, responding to these requests is straightforward. Client files, session notes, email records, intake forms. Compile what you have and send it, or delete it.

The exception for deletion: you can keep records you're required to maintain by law (invoices and payment records for tax purposes, for example) even after a deletion request.

4. Know What Third-Party Tools You're Using

Coaching practices typically use a range of tools that process client data: scheduling software, payment processors, email marketing platforms, video conferencing tools. Each of these is a "data processor" under GDPR.

You don't have to audit every tool in detail. But you should:

  • Know what tools you use and that they have GDPR-compliant data processing agreements in place. (Most reputable SaaS tools do. Check their privacy policies or settings.)
  • Mention them in your privacy policy as third parties who may receive client data.
  • Not use tools that store data in insecure ways.

5. Secure Your Data Practices

A few practical security measures cover most of the risk:

  • Two-factor authentication on your email, scheduling software, and anywhere you store client information
  • A password manager so you're using strong, unique passwords
  • Client files stored in an encrypted or access-controlled folder, not an unprotected shared drive
  • A screen lock on your laptop if you work in public spaces

Nothing complex. Just basic hygiene applied consistently.

What About UK Coaches and UK Clients?

The UK left the EU in 2020, but the UK retained equivalent data protection legislation called UK GDPR, which mirrors the EU version in most respects. If you're a UK coach, UK GDPR applies to how you handle any client data. If you have UK-based clients, UK GDPR applies to you regardless of where you're based.

For practical purposes, compliance with EU GDPR largely covers UK requirements. The UK Information Commissioner's Office (ICO) is the regulatory body for UK data protection.

US-Based Coaches: State Privacy Laws

Even if you don't have EU clients, US state laws are creating similar (if narrower) data privacy requirements.

California Consumer Privacy Act (CCPA): Gives California residents rights similar to GDPR. Applies to businesses above certain revenue or data-volume thresholds. Most solo coaching practices fall below the thresholds, but if you're growing, it's worth knowing.

Other states: Virginia, Colorado, Connecticut, Utah, and others have passed state privacy laws. The requirements are less prescriptive than GDPR in most cases, but the trend is toward more protection for consumers, not less.

Having a clear privacy policy and transparent data practices covers you reasonably well across most US state requirements, even if it doesn't make you technically compliant with every nuance.

What GDPR Violations Actually Look Like for Coaches

Here's the realistic picture: major GDPR enforcement has targeted large tech companies and data brokers, not individual coaches. The fines that made headlines (Google's €50 million fine, Amazon's €746 million fine) are not the scale of enforcement you need to worry about.

That said, smaller enforcement actions do happen. And beyond regulatory penalties, there's a more immediate concern: client trust.

EU clients, especially in corporate or professional contexts, are increasingly aware of data privacy rights. A coaching practice that has no privacy policy, adds people to email lists without consent, or handles client data carelessly looks unprofessional and creates friction in the client relationship.

The business case for basic GDPR compliance isn't primarily about avoiding fines. It's about meeting the reasonable expectations of the clients you're working with.

The Practical Compliance Checklist for Coaches

Run through this:

  • Privacy policy live on your website, covering what you collect, why, and how to make requests
  • Consent mechanism on email sign-up forms (explicit opt-in, not pre-checked box)
  • Ability to respond to a data access or deletion request within 30 days
  • Third-party tools you use are documented and reasonably secure
  • Client data stored securely (not in publicly accessible spreadsheets)
  • A rough data retention policy (e.g., "I keep client files for 3 years after the coaching relationship ends, then delete them")

That's the core of it. Most coaches can implement this in a few hours across one afternoon.

For the broader picture of legal documentation in your coaching practice, the coach's legal toolkit covers contracts, disclaimers, and the full document stack. And if you want to understand your obligations around coaching confidentiality agreements, that's a natural next step in thinking about how you handle client information.

Disclaimer: This article provides general educational information about GDPR as it relates to coaches. It is not legal advice and does not constitute a compliance certification. GDPR and other privacy laws are complex, and your specific situation may have different requirements. Consult a qualified attorney or data protection specialist for advice specific to your practice.

Get started today

Run your coaching business from one place

Kaido handles your sessions, clients, programs, and payments — so you can focus on coaching.

Get started for free See how it works