Best Practice – What to do with Client records in the case of Retirement, Long-Term Illness or Business Closure

What to do with Client records in the case of Retirement, Long-Term Illness or Business Closure

We have recently been made aware of a Member who stopped their NLP business and asked if the records they had kept of their client sessions should be destroyed. 

It’s a good question and there could be a variety of reasons why you may need to consider what to do with your client records if your circumstances change and you are no longer practising.

GDPR and DPA (2018)

Both the European General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) require you to, where possible, let the affected people (clients) know that you are closing the business and that they have a set period of time in which they can request all data that you hold, relating to them, to be securely sent to them.  This is their right under GDPR and DPA.  (https://ico.org.uk/for-organisations/advice-for-small-organisations/frequently-asked-questions/data-storage-sharing-and-security/#whatdata accessed 12/02/2025).  

Here's the information direct from the Information Commissioner’s Office (ICO) website (link above):

“I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?

Yes, if you can.  It’s good practice to let people know your business is closing down and you’re not holding their data any longer.  This shows people that you value their information even when you no longer need it.  It also allows them time to raise any concerns or requests with you.

For some businesses, this will be straightforward and won’t take long.  For others, it’s easier said than done.  If you’re in this position, it’s a balance between the effort it would take to let them know and, based on the type of information you hold about them, how important it is to contact them.

For example, you might not be able to contact your customers easily because you no longer have access to their information.  If the information you hold is sensitive personal data, such as medical information, then there may be more of a necessity to try and contact them than if the information you hold is limited to name and address details.  But this should be an exception, rather than a rule, and you’ll need to be confident you can justify your decision.”

There is more information available using the link above.

What is ‘Best Practice’ in this situation?

First and foremost, it is vital that you keep all detailed records of interactions you have with clients secure.  If you have paper-based records, the best ways to keep these secure are in a locked, fire-proof filing cabinet or a firesafe.  If you keep electronic records, then these should be ideally stored in a secure cloud (Microsoft OneDrive, Google Drive, DropBox, etc.) with strong password protection.  If you store records on a PC, laptop, Apple Mac, iPad, tablet, etc. then the device and/or folder or storage area must also be password protected and regularly backed up to a separate device (also password protected!).

If the business is closing, then you can give notice to your clients (anything from 14 to 30 calendar days is fine), advising them that you will no longer be storing their data and that the records will be destroyed after this time.   This will allow them to request their data from you.  If they do not and the deadline date passes, you must destroy the paper-based (shred or burn) or electronic data (delete and delete from any trash or recycle facilities you may have).

You can find more details here: https://ico.org.uk/for-organisations/advice-for-small-organisations/whats-new/blogs/practical-methods-for-destroying-documents-that-are-no-longer-needed/

If the business owner passes away, the advice above still applies.  Again, the ICO guidelines can be found here:

https://ico.org.uk/for-organisations/advice-for-small-organisations/frequently-asked-questions/data-storage-sharing-and-security/#soletrader