I comply with the UKCP's guidance on security and GDPR.
Electronic records, which show e mails and payments, are password protected.
Paper documents detailing attendance at sessions are identified by initial only and are kept in a locked cabinet.
All records are kept only for as long as is required for accounting or insurance purposes. Once they are no longer required, records are deleted/destroyed.