In general there is still some confusion about GDPR and how it applies to us. This was in no small way due to misleading information put out by a certain (other) Podiatry professional organisation earlier in the year. Facebook was full of it, and it spread from there.
It would seem that as long as you follow the advice from your own professional body (in this case the IOCP) you are safe. The data protection people are not concerned with small businesses particularly, but you must follow your own organisation’s advice in order to comply with Personal Indemnity insurance requirements. If you do not insure with the ICOP (I don’t) then you must follow the advice of whoever you do insure with.