GDPR Compliance

What are your responsibilities as a customer of Silicon Practice?

You are the data controller of any personal data provided to us in relation to your use of our services. This means that you are responsible for determining the reason why data is being processed, how it is processed and when it is processed.

We are a data processor, which means we are processing personal data on your behalf when you are using our services. General Data Protection Regulation (GDPR), which came into force on May 25, 2018, prohibits us from conducting any processing activities that you have not authorised us to do. As a data processor we will not process any data you provide unless we have received an appropriate instruction from you.

As a data controller, GDPR requires you to implement appropriate technical and organisational measures to ensure and demonstrate that any processing of personal data is performed in a compliant manner. The principles of GDPR include topics such as lawfulness, fairness, transparency, purpose, data minimisation and accuracy. GDPR also gives data subjects various rights with respect to their data, which you are required to fulfil.

Silicon Practice and GDPR

We are committed to ensuring compliance with GDPR. GDPR requires that data controllers use data processors that carry out processing in a manner that complies with regulations.

Compliance Officer

We employ a dedicated Compliance Officer. Under the direction of the Compliance Officer, our team are responsible for ensuring compliance with security and data protection standards, regulations and legislation.

Information we process

Any data that you and your users put into our systems will only be processed in accordance with your instructions.


All of our employees and contractors are required to sign a confidentiality agreement and undertake regular training.

Use of sub-processors

We directly conduct most of the data processing activities needed to provide our services to you. However, we use some other third-party suppliers to assist in supporting our services. We ensure each supplier is technically capable and can deliver the required levels of security and privacy.

Category Personal Data
Professional Services We may share your details with professional service companies such as accountants or accounting software.
Technical service providers We may share your details with providers we use to provide computing services.
Communication services We may share your details with companies who provide us with communication services such as a customer support or email providers.

Data export and deletion

We will assist you in exporting or deleting customer data, if required, in line with our agreed service levels. When we receive a deletion instruction from you we will delete all relevant patient information from all of our systems within a period of no more than 180 days, unless we are obliged by law to retain such personal data for a longer period of time.

Incident Notification

We are committed to notifying you regarding data incidents that may involve your information or patient information that we process on your behalf.

Security Measures

GDPR requires that data controllers and their processors implement security controls. We make a copy of our security measures available to assist you in determining the appropriateness of our controls.

Data Centre and Server Information

Our servers operate from our secure data centres within the UK to keep our services running 24 hours a day, 7 days a week.

Associated Standards and Accreditations

We adhere to the NHS standards for all patient identifiable information. In particular:

  • Our company is NHS IG Level 2 compliant;
  • FootFall has achieved the SCCI 129 standard for clinical safety;
  • All patient information is encrypted to NHS encryption standards;
  • The data is stored in a data centre which is ISO 27001 compliant;
  • We have achieved Cyber Essentials as specified by the NHS.

We are, of course, registered with the ICO – Registration Number Z9216576.