Critical Privacy Compliance Briefing for Clinical Herbalists: Data Protection & Insurance Risks for Clinical Herbalists in the UK and Ireland

Date: 22nd January 2026

Subject: Urgent Update regarding GDPR, Digital Infrastructure, and Insurance Liability.

1. Summary

It occurred to me how little Herbalists understand of GDPR and any subsequent responsibilities we have as practitioners handling sensitive health data. The regulatory landscape for Complementary and Alternative Medicine (CAM) has shifted. As Herbalists, we are not merely sole traders; under Article 9 of the GDPR (shared between UK & EU), we are “High-Risk Data Controllers” processing Special Category Data (health and genetic history).

Recent changes to standard insurance policies (Balens/Lloyds), combined with stricter enforcement from the ICO (UK) and DPC (Ireland), mean that common administrative habits, specifically the use of free email services, pose an existential threat to practice liability and GDPR / UK-GDPR compliance.

It is apparent that many professional herbalists do not fully understand the implications of using the likes of their personal email for patient interactions. In addition, they are required to have DPAs with all existing web services they use to interact or store with patients. Professional Associations are advised to alert their practitioners to ensure their practices are compliant. It is ultimately the practitioner’s responsibility to ensure that they are compliant.

2. The “Free Email” Trap (The Article 28 Breach)

The most widespread compliance failure in our profession is the use of free email accounts (e.g., @gmail.com, @yahoo.com, @hotmail.com) for patient correspondence.

• The Law: Article 28 of the GDPR requires a binding Data Processing Agreement (DPA) between you (the Controller) and your email provider (the Processor). This may come under the name Data Processing Addendum when added automatically to service agreements you sign up to.
• The Problem: Free consumer services do not provide a DPA. They operate under consumer Terms of Service which often allow data scanning for advertising.
• The Risk: Using a free account for health data is technically an unlawful data transfer. In the event of a breach, the ICO/DPC can penalize you for negligence.

Action Required:

You must use a business-grade solution where a DPA is signed or included in the terms.

• Non-Compliant: Free Gmail, Yahoo, Hotmail, AOL.
• Compliant (With Setup): Google Workspace (Paid), Microsoft 365 (Business), Proton Mail (Business), Tuta (Business). Note: You must often actively accept the DPA in the admin settings.

3. Insurance Reality Check: The Lloyds Transfer

Practitioners renewing with Balens are now underwritten by Lloyd’s Insurance Company S.A. (previously AXA XL). This transition introduces critical restrictions [1]:

1. Reduced Coverage: “Breach of Confidentiality” is no longer covered up to the full policy limit. It is now often sub-limited (capped) at €250,000 (aggregate). A significant data breach could easily exceed this cost in legal fees and notifications.
2. The “Cyber” Exclusion: New policies often contain “Cyber & IT exclusions.” If a breach occurs due to a cyber-attack (e.g., phishing on a free Gmail account), the insurer may deny the claim, leaving the practitioner personally liable for all damages.

4. The “Two-Lock” System: Stopping the Consent Error

Many herbalists incorrectly use “Consent” as their legal basis for keeping records. This is dangerous because consent can be withdrawn, but you are legally required to keep records for 7 years.

Adopt the Correct Legal Basis:

• Lock 1 (Lawful Basis): Use Article 6(1)(b) Contract. You are processing data to fulfill the treatment contract.
• Lock 2 (Condition for Health Data): Use Article 9(2)(h) Provision of Health & Social Care. This applies because you are subject to a professional code of confidentiality (e.g., NIMH, IRH Code of Ethics) [22]. Article 9(2)(a) applies to independent herbalists.

5. Immediate Action Checklist

• [ ] Audit Email: If your email ends in @gmail or @yahoo, migrate immediately to a paid, DPA-compliant service (e.g., Google Workspace, Proton, MS 365).
• [ ] Check Insurance: Read your schedule. Look for “Cyber Exclusions” and check your “Breach of Confidentiality” sub-limit. Consider standalone Cyber Insurance.
• [ ] Regulatory Fees:

• UK: Ensure you have paid the ICO Data Protection Fee (approx. £40). “Accounts and Records” exemption does not apply to health data [5].
• Ireland: Ensure you maintain a “Record of Processing Activities” (ROPA), as the exemption for small businesses does not apply to health data processors [10].
• [ ] Privacy Notice: Update your patient forms to cite “Contract” and “Provision of Health Care” rather than “Consent” for record-keeping.

Selected References

1. Balens / Lloyds Insurance Company S.A. Policy Documentation (EU Renewal 2024/2025).
2. ICO Data Protection: Is it Mandatory for All Businesses? – Training Express, accessed on January 23, 2026, https://trainingexpress.org.uk/ico-data-protection-is-it-mandatory-for-all-businesses/ 
3. Guidance for SMEs – Data Protection Commission, accessed on January 23, 2026, http://www.dataprotection.ie/en/dpc-guidance/guidance-for-smes 
4. Code of Ethics / Constitution – Irish Register of Herbalists, accessed on January 23, 2026, https://irh.ie/code-of-ethics-constitution/
5. NIMH Code of Ethics | PDF – Scribd, accessed on January 23, 2026, https://www.scribd.com/document/673947034/1-NIMH-Code-of-Ethics 
6. General Data Protection Regulation What it means for NIMH members, accessed on January 23, 2026, https://nimh.org.uk/wp-content/uploads/2020/01/General-Data-Protection-Regulation-for-NIMH-members-1.pdf 
7. Art. 28 GDPR – Processor – General Data Protection Regulation (GDPR), accessed on January 23, 2026, https://gdpr-info.eu/art-28-gdpr/ 
8. GDPR: Where to get a DPA (Data Processing Agreement Art 28.) for GSuite Gmail and Gmail free version? – Reddit, accessed on January 23, 2026, https://www.reddit.com/r/gdpr/comments/8j6hhb/gdpr_where_to_get_a_dpa_data_processing_agreement/