The risk
What the ICO and NHS DSPT require of your website — and where agency builds silently fail
A typical independent clinic site — podiatry, dentistry, physiotherapy,
mental health, fertility, cosmetic, or veterinary care — was built a few
years ago on whichever SaaS stack carried a template: a US host, a US
enquiry form, Google Analytics, a US newsletter tool. The site works and
bookings come in. It also quietly fails the obligations the practice —
not the agency — is accountable for. Four are worth naming precisely.
UK GDPR and the ICO regime
The practice is the data controller, and the ICO enforces UK GDPR under the Data Protection Act 2018. That means Article 30 records of processing, Article 28 data-processing agreements with every sub-processor, and — under Articles 44 to 49 — a lawful transfer mechanism with Standard Contractual Clauses and a written Transfer Risk Assessment for any personal data flowing outside the UK and EU. The agency that wired the enquiry form to a US host almost certainly wrote none of these.
Special-category health data
A patient enquiry that names a condition is special-category data under UK GDPR Article 9 the moment it lands. The Caldicott Principles add the NHS-adjacent layer: justify every use of identifiable patient information, and keep access on a strict need-to-know basis. An enquiry form on US-resident infrastructure exposes that data to lawful third-party access — under the US CLOUD Act — that the practice never named and cannot defend.
The NHS Data Security and Protection Toolkit
Any clinic in the NHS supply chain — taking GP referrals, supplying an occupational-health service, or processing data that originated in NHS systems — inherits Data Security and Protection Toolkit (DSPT) obligations through its contracts. The assessor spot-checks the public website: the named Information Governance lead, the incident-reporting route, the privacy notice, the supported stack, and the sub-processor list are all verified in a browser before any conversation with the practice.
Where patient data is hosted
Most clinic sites route enquiry forms, the CRM, analytics, and patient mailings through US-resident SaaS — HubSpot, Mailchimp, Google Analytics, a US inbox. The CJEU's Schrems II ruling made bulk transfer of personal data to US infrastructure legally precarious, and US-resident services remain subject to the CLOUD Act regardless of where the data physically sits. The practice cannot answer where the data lives or who can reach it.
None of these obligations explicitly requires an "EU-sovereign website".
Each, however, eventually asks the same question: where does the patient
data live, who has access, and can the practice prove it? On a typical
agency-built site the honest answer is "we do not really know."