Digital consent forms for UK aesthetics clinics: what GDPR and CQC actually require

Most aesthetics practitioners know they need consent forms. Not all are confident they have the right content in them — or that storing them in a folder on the computer or a filing cabinet is actually compliant.

This article explains exactly what UK law requires, what should be in your forms, and how to store everything properly.

Why this matters more than you might think

Client health data is what UK GDPR calls "special category data." This category — which includes health conditions, medical history, and treatment records — gets the highest level of protection under the law.

Processing special category data without explicit, documented consent exposes you to ICO fines of up to £17.5 million or 4% of global turnover. For a small aesthetics clinic, even a minor breach investigation can be costly in time and stress.

Beyond GDPR, proper consent documentation protects you if a treatment outcome is ever disputed. The burden of proof in a complaint is on you to demonstrate that the client understood and agreed to the treatment, the risks, and the aftercare.

Paper forms in a filing cabinet are not sufficient. They can be lost, they are not searchable, and they don't automatically timestamp when the client signed.

What must be in your consent forms

Every client consent form for an aesthetics treatment should include these sections.

Personal details. Full name, date of birth, contact information. Confirm the client is over 18 (or has parental consent if a minor is receiving a permitted treatment).

Medical history. This is the most important section. Include:

• Current medications (including blood thinners, immunosuppressants, retinoids)
• Allergies and sensitivities (particularly to anaesthetics, latex, specific ingredients)
• Skin conditions (eczema, psoriasis, rosacea, active acne)
• Autoimmune conditions
• History of cold sores (relevant for lip fillers)
• Pregnancy or breastfeeding
• Any previous aesthetic treatments and reactions
• Current health conditions relevant to the treatment

Contraindication acknowledgement. A specific section confirming the client has declared all relevant medical information and understands that providing false information releases the practitioner from liability.

Treatment explanation. What the treatment involves, what results to expect, and the realistic timeline.

Risk disclosure. The specific risks of the treatment being performed. Generic "some people experience side effects" is not sufficient. List the actual risks: bruising, swelling, asymmetry, migration (for fillers), paradoxical reactions.

Aftercare instructions. What the client should and should not do following the treatment.

Photography consent. A separate clear consent for before-and-after photographs, specifying how they will be used (clinical record only / with anonymisation / for marketing). These are separate from the treatment consent and can be declined independently.

GDPR consent. How you will store and use their data, their right to access or delete their records, and who has access to their information.

Signature and date. The date must be timestamped — not just the day but ideally the time.

Treatment-specific forms vs one generic form

One generic consent form is not sufficient for a clinic offering multiple treatments.

A client having a chemical peel needs to consent to the specific risks of that treatment. A client having lip fillers needs a form specific to the risks of injectable treatments. A client having laser hair removal needs a different form again.

Best practice is to have:

• A general client health questionnaire (completed on first visit and updated at subsequent visits)
• Treatment-specific consent forms for each category of treatment

The general health questionnaire should be reviewed and re-confirmed at each visit — conditions and medications change.

How to store consent forms compliantly

Data must be encrypted at rest and in transit. Storing forms on an unencrypted laptop or in a shared Dropbox folder is not compliant.

Access must be restricted. Only the practitioners who need to see a client's medical records should have access. If you have a receptionist, they should not have access to clinical notes unless there is a legitimate reason.

Data must be stored in the UK or EEA. Post-Brexit, UK data must not be transferred to countries without an adequacy agreement.

Clients must be able to request their data. Under the right of access, a client can request a copy of all data you hold on them. You must be able to produce this within 30 days.

Clients must be able to request deletion. Under the right to erasure, a client can ask you to delete their data. However, this can be refused if you have a legitimate legal obligation to retain records (which you likely do for clinical liability reasons — document your reasoning if you retain records despite a deletion request).

Using ReeveOS for aesthetics compliance

ReeveOS includes a consultation form system built specifically for aesthetics clinics:

• 6-section consultation form covering all required medical history fields
• Treatment consent forms (2A–2D) with treatment-specific risk disclosure
• Contraindication matrix: 20 conditions × 5 treatments with automatic BLOCK, FLAG, or OK logic
• AES-256-CBC encrypted storage for all form submissions
• GDPR-compliant audit trail with timestamps
• Distribution via link, QR code, automated email, or client portal
• 6-month validity — clients are prompted to re-confirm their health information

The contraindication checking is the feature that matters most in practice. If a client completes their health questionnaire and indicates they are on blood thinners, the system automatically flags this for filler treatments and blocks certain treatments from being booked. This removes the risk of human error in reviewing forms manually.