GDPR for Business Coaches: A Complete Compliance Guide

Why GDPR Applies to Business Coaches

Business coaching is a deeply personal profession. Coaches work with clients on their goals, challenges, finances, careers, and mindset. That means you handle a significant amount of personal data — and under the General Data Protection Regulation (GDPR), you have legal obligations around how you collect, store, and use it.

GDPR applies to any individual or organisation that processes personal data about people in the European Union, regardless of where the coach is based. If you work with clients in the UK, EU, or EEA, GDPR (or UK GDPR) applies to you.

Many business coaches assume GDPR is only for large organisations. In reality, sole traders and small coaching practices are data controllers under GDPR and carry the same fundamental obligations.

What Data Do Business Coaches Collect?

Business coaches handle a surprisingly wide range of personal data:

• Client contact details — name, email address, phone number, business address
• Company information — business name, role, industry, company size, turnover
• Financial goals and challenges — revenue targets, debt, cashflow issues, salary expectations
• Session notes and coaching records — notes taken during or after coaching sessions
• CRM records — client history, communication logs, follow-up reminders
• Contracts and invoices — signed coaching agreements, payment records
• Testimonials and case studies — written feedback or results shared with client consent
• Video or audio recordings — recorded coaching sessions, where consent has been given

Legal Bases for Processing Client Data

Under GDPR, you must have a lawful basis for every type of data processing. For business coaches, the two most relevant bases are contract performance and legitimate interests.

Contract Performance: When a client signs a coaching agreement, you can process their personal data to the extent necessary to deliver the service.

Legitimate Interests: This can cover activities like keeping records of past clients for business purposes, following up with former clients, and processing data for administrative purposes.

Email Marketing and Newsletter Lists

GDPR and PECR impose clear rules on email marketing. For existing clients, the soft opt-in rule may apply. For new contacts and prospects, you need freely given, specific, informed, and unambiguous consent before sending marketing emails.

Every marketing email must include an easy way to unsubscribe, and you must honour opt-out requests promptly.

Online Coaching Platforms as Data Processors

When you share client data with tools like Zoom, Slack, CRM systems, or coaching apps, those platforms become data processors acting on your instructions. You should sign Data Processing Agreements with each and document them in your records of processing activities.

Client Confidentiality vs GDPR Obligations

Coaching relationships are built on trust and confidentiality. GDPR adds a legal layer to this professional obligation. If you receive a Subject Access Request from a client, you must provide their data — including session notes — within 30 days.

Data Retention for Coaching Practices

• Contracts and signed agreements — retain for at least six years after the contract ends
• Invoices and financial records — keep for at least six years (HMRC requirement)
• Session notes — delete after the coaching programme and any follow-up period has passed
• Marketing consent records — keep for as long as you are marketing to that person

Privacy Policy for Coaching Websites

Your coaching website needs a privacy policy explaining how you collect and use visitor and client data. It should cover what data you collect, why, who you share it with, and how long you keep it.

Practical GDPR Compliance Checklist

• Register with the ICO as a data controller (UK)
• Document personal data in a Records of Processing Activities
• Ensure your coaching contract includes a privacy notice
• Sign Data Processing Agreements with all third-party tools
• Review your email marketing list for valid consent
• Publish a compliant privacy policy on your website
• Add a cookie consent banner if you use analytics
• Implement a process for handling Subject Access Requests
• Store client files and session notes securely
• Set retention periods and schedule regular deletion reviews

Start with a free website scan at app.custodia-privacy.com to see exactly what your coaching website is doing with visitor data.