An internal LOPDGDD audit at a psychology practice is no formality: it is the difference between catching a flaw and fixing it, or having the AEPD catch it with fines starting at €40,000.

This guide provides a practical checklist to audit data-protection compliance at your psychology practice in Spain, spot gaps and leave documentation ready in case of inspection or breach.

Why a psychology practice must audit itself

Three reasons:

  • You handle special-category data (health) subject to the reinforced regime of GDPR art. 9.
  • You have several professionals accessing files: traceability is mandatory.
  • The AEPD inspects reactively (patient complaints) and, increasingly, proactively in the healthcare sector.

An annual internal audit is the cheapest way to avoid surprises.

Documentation that must exist and be up to date

  1. Detailed Record of Processing Activities (RPA/RAT).
  2. Privacy policy published and reviewed.
  3. Clauses in informed consent and web sign-up forms.
  4. Data-processing agreements with: clinical software, hosting, accountant, email/SMS platform, healthcare messaging.
  5. Risk analysis and, where applicable, data-protection impact assessment (DPIA).
  6. Security breach register (even if empty).
  7. Procedure for exercising rights (access, rectification, erasure, portability, objection, restriction).

Access, roles and traceability in clinical software

  • Each professional with a named account (no shared accounts).
  • Differentiated roles (clinical director, therapist, reception, accounting).
  • Mandatory 2FA on accounts with access to clinical records.
  • Activity log retention for at least 24 months.
  • Password policy (minimum 12 characters, rotation every 12 months).

If your current software doesn't allow logs or roles, consider migrating: My Psico Agenda's practice schedule includes permissions and audit logs by default.

Processors: who touches your data

  • Clinical software (EU-hosted servers).
  • Website hosting and corporate email.
  • Payment gateways (Stripe; Bizum technically isn't a processor).
  • SMS/WhatsApp platform for reminders.
  • Tax and labour accountancy firm.
  • Cleaning service with office access (yes, also).

Each must have a signed processing agreement under GDPR art. 28.

Breaches, rights and notifying the AEPD

  • Any unauthorised access, data loss or cyberattack is a breach.
  • Deadline: notify the AEPD within 72 h if there is risk to the rights of affected individuals.
  • Inform affected patients without delay if the risk is high.
  • Always document, even if you don't notify externally.

Team training and culture

  • Mandatory initial training for every new employee.
  • Annual best-practices refresher.
  • «Clean desk» policy and screen lock under 5 min.
  • Explicit ban on personal WhatsApp for clinical records.
  • Incident-response plan with contact numbers and steps.
💡
Tip. Run a breach drill once a year (e.g. stolen laptop) and measure how long it takes the team to notify it correctly.

Common pitfalls in practice audits

  1. Having documents copied from another clinic without adapting to your treatments.
  2. Outdated RPA after adding a telepsychology platform.
  3. No agreement with the accountancy firm that sees invoices with patient data.
  4. Logs enabled but nobody reviews them.
  5. No written rights-exercise procedure.

Frequently asked questions

We answer the most frequent questions on LOPDGDD/GDPR audits at psychology practices in 2026.

Do I need a Data Protection Officer (DPO)?

Yes. GDPR art. 37 requires one when health data is processed at scale. The AEPD interprets «large scale» as practices with several professionals handling clinical data of hundreds/thousands of patients.

How often should I audit internally?

Full annual audit, quarterly documentation review, breach drill every 12-18 months. After any major change (new software, merger), an immediate partial audit.

Can I reuse GDPR templates from the internet?

Only as a starting point. Each practice has different processing activities (telepsychology, assessments, EAP, child-adolescent) and standard templates fall short. Adapt them rather than copy.

Can an AEPD fine be covered by professional liability?

Administrative fines are usually excluded. Some policies cover legal defence and fees, but the fine is paid by the practice. More in professional liability.

How do I prove to the AEPD that I've audited myself?

With a dated internal report, an updated RPA, incident log, documented training and signed processor agreements. «Accountability» evidence is what the AEPD values.

Demonstrable GDPR compliance, not improvised

My Psico Agenda includes logs by default, differentiated roles, 2FA, data export for rights requests and EU-hosted servers: your practice audits faster and with fewer surprises.

Create free account See pricing