Compliance

Compliance and Regulation for UK Aesthetic Clinics

Compliance is the boring stuff that keeps your clinic open. Nobody gets into aesthetics because they love filling out CQC applications or writing data protection policies. But getting compliance wrong can shut you down faster than any competitor, bad review, or quiet January ever could.

This page covers the major compliance areas that affect UK aesthetic clinics: CQC registration, data protection, advertising standards, prescribing rules, insurance, record keeping, and complaint handling. Each section gives you the practical version of what you need to know and do. Where we have detailed guides, we link to them. Where we don't, we give you enough to act on today.

One thing before we start: this is guidance, not legal advice. Regulations change, enforcement priorities shift, and your specific circumstances matter. Use this as your working checklist, then verify anything critical with your insurer, solicitor, or the relevant regulator.

CQC Registration and the New Licensing Regime

The Care Quality Commission is the regulator for health and social care services in England. If you perform certain treatments, you must be registered with CQC before you treat a single patient. Operating without required registration is a criminal offence with unlimited fines and up to 12 months imprisonment.

Which treatments currently require CQC registration:

• Laser treatments using Class 3B or Class 4 devices (most medical-grade lasers)
• IPL for hair removal in certain clinical settings
• Botulinum toxin injections for medical purposes (hyperhidrosis, migraines, but not cosmetic Botox for wrinkle reduction)
• Thread lifts, PRP for medical indications, and other procedures classified as regulated activities
• Any treatment that involves a surgical procedure, however minor

The distinction that trips most people up: cosmetic Botox injections for wrinkle reduction have historically not been a regulated activity requiring CQC registration, while Botox for hyperhidrosis is. Same drug, same needle, different regulatory category. However, the new licensing regime (see below) is changing this. Check the current position with CQC before making assumptions. Our CQC registration guide walks through every scenario in detail.

The new licensing regime

The Health and Care Act 2022 introduced a licensing requirement for non-surgical cosmetic procedures. This is being phased in and will significantly expand the scope of regulation. Under the new regime, practitioners performing treatments including botulinum toxin injections, dermal fillers, chemical peels, and certain skin treatments will need a licence regardless of whether the purpose is cosmetic or medical.

This means many clinics that currently don't need CQC registration will need to be licensed. The timeline has shifted several times, but if you're practising in aesthetics, you should be preparing as if licensing is imminent. In practical terms, that means having your documentation, training records, and clinical governance already in place.

What a CQC inspection actually looks like

Modern CQC assessments often start remotely. An inspector reviews your documentation, policies, and any available data before deciding whether an on-site visit is needed. If they do visit, they assess five key areas:

1. Safe. Are your clinical environments clean, equipment maintained, emergency protocols documented and practised?
2. Effective. Are treatments evidence-based? Are outcomes monitored? Is staff training up to date?
3. Caring. Do patients feel respected and involved in decisions? Is consent properly obtained?
4. Responsive. Can patients access your services easily? How do you handle complaints?
5. Well-led. Is there clear clinical governance? Quality improvement? Learning from incidents?

Inspectors look at evidence, not promises. They want to see dated policies, signed training records, calibrated equipment logs, completed audit cycles, and real complaint handling records. "We always do that" without documentation counts for nothing.

Key policies you need documented:

• Safeguarding (adults and children)
• Infection prevention and control
• Complaints handling procedure
• Adverse event reporting
• Clinical governance framework
• Staff recruitment and training
• Consent procedures
• Emergency protocols (including anaphylaxis management)
• Business continuity

If you're not sure whether your treatments require registration, read the full breakdown in our CQC registration guide.

UK GDPR for Aesthetic Clinics

Data protection isn't just a box-ticking exercise. Aesthetic clinics hold some of the most sensitive personal data imaginable: clinical photographs, medical histories, before and after images, sometimes psychological assessments. All of this is "special category data" under UK GDPR, which means it gets the highest level of protection the law offers.

Our simplified GDPR guide covers the essentials, and the full GDPR compliance guide goes deeper. Here's what matters most.

Why aesthetics data is special category

Health data is explicitly listed as special category data under UK GDPR. For aesthetic clinics, this includes:

• Medical history forms
• Clinical photographs (before, during, and after treatment)
• Treatment notes and plans
• Records of adverse reactions
• Psychological assessments or screening questionnaires
• Any biometric data used for facial analysis

Processing special category data requires meeting both a lawful basis under Article 6 and an additional condition under Article 9. You can't just rely on "consent" and assume you're covered.

The six lawful bases and which ones apply to you

UK GDPR Article 6 provides six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

For most aesthetic clinics, the relevant ones are:

• Contract. You need to process patient data to deliver the treatment they've booked. This covers the core clinical relationship.
• Legal obligation. You're legally required to maintain certain records (more on retention periods below).
• Legitimate interests. This can cover things like marketing to existing patients, but you need a documented Legitimate Interest Assessment.
• Consent. For anything beyond what's strictly necessary for treatment or legal compliance, you likely need explicit consent. This includes using before/after photos in marketing, sharing data with third parties, or sending promotional communications.

Data retention periods

How long you keep clinical records matters. Keep them too briefly and you could be caught out by a late complaint or claim. Keep them indefinitely and you're holding data without a lawful purpose.

NHS guidance recommends:

• Adult patients: 8 years after the last contact or treatment
• Patients treated as children: Until the patient turns 25, or 8 years after the last treatment, whichever is longer
• Mental health records: 20 years after the last contact (relevant if you do any psychological screening)

These are guidelines, not legal minimums. Your insurer may recommend longer retention periods, particularly for treatments where complications can emerge years later. Check your policy.

Subject Access Requests

Any patient can request a copy of all the personal data you hold about them. You have 30 calendar days to respond. You can't charge a fee unless the request is "manifestly unfounded or excessive" (and the bar for that is very high). You must provide the data in an accessible format.

This is where good record keeping pays off. If your patient records are scattered across paper files, a phone camera roll, WhatsApp messages, and a spreadsheet, responding to a SAR within 30 days becomes a nightmare.

Right to erasure (with exceptions)

Patients can request you delete their data. However, there's an important exception for clinical records: where you have a legal obligation to retain the data (such as medical records for the retention periods above), the right to erasure doesn't override that obligation. You can, and should, delete marketing data, but clinical records stay for the legally required period.

Breach notification

If you suffer a personal data breach that's likely to result in a risk to individuals' rights, you must notify the ICO within 72 hours. "Breach" includes things like emailing patient records to the wrong address, leaving treatment notes visible to other patients, losing an unencrypted USB drive, or a ransomware attack.

If the breach is likely to result in a high risk to individuals (which clinical data breaches usually are), you must also notify the affected patients directly and without undue delay.

Maximum fines for serious GDPR violations: up to £17.5 million or 4% of annual global turnover, whichever is higher. For a small clinic, the reputational damage of a reported breach is probably more damaging than the fine itself.

Advertising Standards

The Advertising Standards Authority (ASA) and the Committees of Advertising Practice (CAP) regulate advertising across all media in the UK, including social media. Aesthetic clinics are under particular scrutiny because health and beauty claims are heavily regulated and because the sector has a history of misleading advertising.

The core rules for aesthetic advertising:

• All claims must be truthful, substantiated, and not misleading
• You cannot claim results are guaranteed, permanent, or risk-free
• You cannot claim treatments are pain-free (you can say "minimal discomfort" if that's accurate and substantiated)
• Time-limited offers must be genuine (not perpetual "this week only" promotions)
• Testimonials must be genuine, must not be misleading, and cannot imply guaranteed results

Before and after photos

Before/after images are one of the most effective marketing tools in aesthetics, and one of the most regulated. The rules:

• Photos must be genuine and unedited (no filters, no retouching, no changes to lighting or angles designed to exaggerate results)
• Before and after images should be taken under similar conditions: same lighting, same angle, same distance
• You must have the patient's specific, documented consent to use their images in marketing
• Photos should be representative of typical results, not exceptional outcomes
• Including a disclaimer like "individual results may vary" doesn't exempt you from these rules

Social media and influencer partnerships

Social media posts promoting your clinic are advertising, even if they don't feel like traditional ads. If you're paying an influencer or giving them free treatment in exchange for a post, that's a paid partnership and must be disclosed with #ad or similar clear labelling. "Gifted" treatments count. Affiliate arrangements count.

The ASA actively monitors aesthetic clinic advertising online. They use AI monitoring tools to scan social media for non-compliant advertising. Getting caught doesn't just mean taking down a post. Repeat offenders get referred to Trading Standards, which can pursue legal action.

Claims you should avoid entirely:

• "Guaranteed results"
• "Permanent" (unless genuinely permanent, which almost no aesthetic treatment is)
• "No downtime" (if there's any possibility of redness, swelling, or bruising)
• "Anti-ageing" as a standalone claim without context
• Comparisons with competitors that you can't substantiate
• Any claim that could create unrealistic expectations

Prescribing and Medicines

Botulinum toxin (Botox, Azzalure, Bocouture) is a prescription-only medicine. That means it cannot legally be administered without a valid prescription from a qualified prescriber. This is one of the areas where the aesthetics industry has the most confusion and the most non-compliance.

Who can prescribe botulinum toxin:

• Doctors (GMC registered)
• Dentists (GDC registered)
• Nurse independent prescribers (with a V300 qualification recorded on the NMC register)
• Pharmacist independent prescribers (with the relevant qualification recorded on the GPhC register)

Aesthetic nurses without independent prescribing qualifications cannot prescribe botulinum toxin. They can administer it, but only under a valid prescription or Patient Group Direction.

Patient Group Directions (PGDs)

A PGD is a written instruction that allows specified healthcare professionals to supply or administer a medicine to a pre-defined group of patients, without an individual prescription. PGDs are used in some aesthetic settings to allow nurses to administer botulinum toxin.

However, PGDs have strict requirements:

• They must be drawn up by a multidisciplinary group including a doctor, pharmacist, and a representative of the professional group that will use them
• They must specify the clinical criteria for patient selection
• They must be signed by a doctor and pharmacist
• They're reviewed every two years minimum
• They can only be used by named, individually authorised practitioners

Using a poorly drafted PGD, or one that doesn't meet the legal requirements, is essentially practising without a valid prescription. The penalties are the same.

The prescriber model

The safest and most common arrangement is the prescriber model: a prescribing practitioner (usually a doctor or dentist) sees the patient, assesses them, and writes a patient-specific prescription. The treatment can then be administered by the prescriber themselves or by a qualified practitioner working under that prescription.

The key point: the prescriber must have assessed the patient. A doctor who signs prescriptions for patients they've never seen is not operating legally. Remote prescribing for botulinum toxin is a grey area that most professional bodies advise against for initial consultations.

For more on safe injection practices and clinical protocols, see our safety guide for injectable treatments.

Insurance

Professional indemnity insurance is not legally required for all aesthetic practitioners, but operating without it is reckless. One adverse event, one claim, one complaint that escalates to litigation, and you're personally liable for damages that could run into hundreds of thousands of pounds.

Our insurance requirements guide covers the specifics. Here's the overview.

Professional indemnity vs public liability

These are different types of cover and you likely need both:

• Professional indemnity covers claims arising from your professional services: a treatment that goes wrong, advice that causes harm, failure to obtain proper consent. This is the one specific to your work as a practitioner.
• Public liability covers claims arising from your premises or general business operations: a patient slipping on a wet floor, a shelf falling on someone in your waiting room. This is the one your landlord or clinic space provider might require.

What can void your professional indemnity:

This is where most practitioners don't read the fine print. Common exclusions and conditions that can void cover:

• Performing treatments you're not specifically insured for (your policy lists covered treatments, adding a new one usually requires notifying your insurer)
• Working outside your documented scope of practice or competence
• Operating from non-compliant premises (e.g., without required CQC registration)
• Lapsed training certifications
• Failing to maintain adequate clinical records
• Not following manufacturer guidelines for products or devices
• Using products outside their licensed indications without proper informed consent

Insurance for specific treatments

Different treatments carry different risk profiles and premiums:

• Botulinum toxin and dermal fillers: standard aesthetic insurance covers these, but check your policy's per-claim and aggregate limits
• Thread lifts, PRP, mesotherapy: these are higher risk and may require additional cover or higher premiums
• Laser and IPL: often requires separate or additional cover, plus evidence of device-specific training
• Body contouring (cryolipolysis, HIFU): check whether your policy explicitly includes these

Typical costs

Professional indemnity for a solo aesthetic practitioner doing injectables typically runs from £500 to £1,500 per year, depending on your treatments, experience, and claims history. Adding higher-risk treatments, multiple practitioners, or higher cover limits increases the premium. The cheapest policy is rarely the best value. Check the excess (how much you pay before insurance kicks in), the per-claim limit, and the aggregate annual limit.

Record Keeping

Clinical records are not just a compliance requirement. They're your primary defence if something goes wrong. Good records protect your patients, protect you, and satisfy every regulator you'll encounter, from CQC to the ICO to your professional body.

What clinical records must contain

Based on GMC, NMC, and industry guidance, your treatment records should include:

• Patient identification details (name, date of birth, contact information)
• Medical history and relevant medications
• Allergies and previous adverse reactions
• Consultation notes (what was discussed, what options were presented)
• Informed consent documentation (signed, dated, specific to the treatment)
• Treatment details (what was done, what products were used including batch numbers, injection sites and volumes, device settings)
• Clinical photographs (with documented consent for each use: clinical records, marketing, training)
• Aftercare advice given (documented, not just verbal)
• Any adverse events or complications and how they were managed
• Follow-up plans and appointment records

Missing any of these creates gaps that become problems during complaints, insurance claims, or regulatory inspections. "I always tell patients about aftercare" means nothing if it's not in the record.

Digital vs paper records

Both are legally acceptable, but digital records are significantly easier to manage for compliance purposes. Digital systems provide audit trails (who accessed what, when), encrypted storage, backup and disaster recovery, and much faster responses to Subject Access Requests.

Paper records need to be stored securely (locked cabinets, restricted access), are vulnerable to fire, flood, or theft, and make SAR responses extremely time-consuming. If you're still on paper, our guide on digital vs paper consent forms covers the practical considerations of switching.

Photo consent and storage

Clinical photography creates specific compliance obligations:

• Get written consent before taking any photos, specifying what the photos will be used for
• Store photos in an encrypted, access-controlled system (not your phone camera roll, not WhatsApp, not a personal cloud account)
• If a patient consents to photos for clinical records but not marketing, you must respect that distinction
• Patients can withdraw consent for marketing use of their photos at any time
• When a patient exercises their right to erasure, marketing photos must be deleted (clinical record photos may be retained for the legally required period)

For detailed aftercare documentation requirements, see our treatment aftercare protocols guide.

Complaint Handling and Adverse Event Reporting

Every clinic gets complaints. How you handle them determines whether they resolve quietly or escalate to regulatory action, legal claims, or media coverage. Every clinic also has adverse events. How you report and learn from them is a core part of clinical governance.

Handling patient complaints

You need a documented complaints procedure. This isn't optional for CQC-registered clinics, and it's good practice for everyone. Your procedure should cover:

• How patients can make a complaint (make it easy, not hidden in small print)
• Acknowledgement timescale (aim for 3 working days)
• Investigation process
• Response timescale (aim for 20 working days for a full response)
• Escalation options if the patient isn't satisfied (professional bodies, the Parliamentary and Health Service Ombudsman for CQC-registered services)
• How you record and learn from complaints

The temptation when you receive a complaint is to get defensive. Resist it. Acknowledge the patient's concern, investigate properly, respond honestly, and document everything. Most complaints that escalate to regulators do so because the patient felt dismissed or ignored, not because the original issue was catastrophic.

Yellow Card reporting

The MHRA's Yellow Card scheme is the UK's system for reporting suspected adverse reactions to medicines and medical devices. If a patient has an unexpected adverse reaction to botulinum toxin, a dermal filler, or any other medicine or device you use, you should report it.

Yellow Card reporting is voluntary for most practitioners but strongly encouraged. It's how regulators identify safety signals with products. Reports can be submitted online at yellowcard.mhra.gov.uk and take about 10 minutes.

When to report to regulators

Beyond Yellow Card reporting, there are situations where you must notify specific regulators:

• CQC (if registered): Serious injuries, abuse or allegations of abuse, incidents reported to or investigated by police, events that stop or may stop the service running
• ICO: Personal data breaches likely to result in risk to individuals (within 72 hours)
• Professional bodies (GMC, NMC, GDC): If a practitioner's fitness to practise may be impaired
• Safeguarding authorities: Any safeguarding concerns involving adults or children

Putting It All Together

Compliance is not a one-off project. It's an ongoing process of maintaining systems, updating documentation, training staff, and staying current with regulatory changes. The clinics that handle it well are the ones that build compliance into their daily operations rather than treating it as an annual audit panic.

Start with the basics: are you registered where you need to be? Is your insurance current and covering what you actually do? Are your records complete? Is your data properly protected? Do you have a complaints procedure that works?

Then build from there. Each of the detailed guides linked throughout this page goes deeper into specific areas. If you're just starting out, our CQC registration guide and simplified GDPR guide are the two most important starting points. If you're established but want to check your position, work through each section above and honestly assess where the gaps are.

The goal is not perfection. It's having systems that work, documentation that's current, and the ability to demonstrate to any regulator that you take patient safety and data protection seriously. That's what keeps your clinic open, your insurance valid, and your patients safe.