Most practice owners compare optician software on the things they can see in a demo — the diary, the dispense screen, how the eGOS claim flows. Data security sits in the part of the demo nobody asks about, usually summed up in one slide with a padlock icon and the words “fully GDPR compliant.” Everyone nods. The conversation moves on.
That’s a problem, because your practice management system holds the single most sensitive thing you own: a database of patients’ names, addresses, dates of birth, clinical records, and prescriptions. Under UK GDPR that’s special category health data — the most heavily protected kind there is. If it leaks, gets ransomed, or simply can’t be recovered after a server failure, the damage isn’t a slow morning at reception. It’s an ICO investigation, a letter to every affected patient, and a reputation that took twenty years to build coming apart in a week.
And the timing matters. If you provide NHS sight tests, the deadline to complete the 2025/26 Data Security and Protection Toolkit (version 8) is 30 June 2026 — a fortnight away as I write this. Your PMS is a big part of whether you can answer those questions honestly. So this is worth slowing down for. Here’s how to actually compare data security across optician practice management systems, instead of taking the padlock slide at face value.
Why data security is the comparison everyone skips
Three things conspire to keep this off the table during a buying decision.
The first is that it’s invisible in a demo. Good security looks like nothing happening. You can’t watch encryption-at-rest the way you can watch a frame get added to an order. So it doesn’t make the highlight reel, and a salesperson is never going to volunteer to spend ten minutes on backups when they could be showing you the shiny bits.
The second is that “GDPR compliant” has become meaningless through overuse. Every vendor says it. It’s printed on websites the way “free-range” is printed on egg boxes. But GDPR compliance isn’t a product feature you can switch on — it’s a shared responsibility between you (the data controller) and your software provider (a data processor). A vendor can hand you a system that’s perfectly capable of being used compliantly and you can still be breaching the law through how you configure and run it. The phrase tells you almost nothing on its own.
The third is that the people in the room don’t feel the risk. The owner is thinking about growth and the diary. The optometrist is thinking about clinical workflow. Nobody in a Tuesday-afternoon demo is the person who’ll be on the phone to the ICO at 8am after a breach. So the question that should be load-bearing gets treated as paperwork.
None of that changes the fact that this is the one area where getting it wrong is existential rather than annoying. So treat it like the others: define what the system has to do, then make every vendor prove it.
The four jobs your PMS has to do on security
Strip away the jargon and a practice management system has four security jobs. Compare vendors on whether they actually do these, not on whether they own a certificate.
1. Keep the data safe where it lives
Patient data should be encrypted both in transit (when it moves between your reception PC and the server) and at rest (when it’s sitting in the database). For a cloud system, the data lives in a data centre run to a standard you’ll never match in a back office above the shop. For a desktop or server-in-the-cupboard system, “where it lives” is a box in your practice — which means the security is only as good as your own locks, your own patching, and your own luck with hardware. That distinction matters enormously and we’ll come back to it.
2. Make sure only the right people see the right things
Not everyone in the practice needs access to everything. A locum optometrist covering for a day shouldn’t be able to export your entire patient list. A Saturday dispensing assistant doesn’t need to see clinical notes from a glaucoma referral. Role-based access control — different permission levels for different jobs — is a basic security requirement, and it’s also a GDPR one. UK GDPR expects access to personal data to be limited to those who need it.
3. Keep a record of who did what
If a patient asks who has looked at their record, or if you ever need to investigate suspected snooping, you need an audit trail: a tamper-resistant log showing which user viewed, edited, or exported which record and when. This is the difference between being able to answer the ICO’s questions and having to admit you have no idea.
4. Make sure you never lose it
The breach everyone worries about is the dramatic one — the hacker. The far more common disaster is mundane: a failed hard drive, a corrupted database, a flooded stockroom, or a ransomware infection that encrypts your only copy. The fourth job is recoverability. Backups that run automatically, are stored somewhere other than the same building, and — this is the part people forget — have actually been tested by restoring from them.
Six dimensions to compare vendors on
With those four jobs in mind, here’s the framework I’d score every system against. Use it as a scorecard, not a vibe check.
Where the data physically lives — and who controls it
Ask where patient data is stored. For a cloud PMS, you want UK or EU data centres (this keeps you clear of the cross-border transfer headache UK GDPR creates). For a desktop system, the honest answer is “on your premises,” which makes you solely responsible for the physical and digital security of that box. Neither is wrong, but they put very different burdens on you, and you should know which one you’re signing up for.
Encryption, in plain terms
Don’t accept “it’s encrypted” as an answer. Ask: is data encrypted in transit and at rest? You’re not trying to become a cryptographer — you’re checking the vendor can answer specifically rather than reaching for the padlock slide.
Independent security accreditations
This is where you separate marketing from substance. Anyone can claim to be secure; an accreditation means an external auditor checked. The ones to look for in the UK are Cyber Essentials or Cyber Essentials Plus (a government-backed baseline), and ISO 27001 (a rigorous international information-security standard). Some larger providers also hold SOC 2. A vendor that holds these will tell you instantly and send you the certificate. A vendor that fumbles the question has told you something too.
Access control and authentication
Check for genuine role-based permissions, and ask whether the system supports multi-factor authentication (MFA) for logins. MFA — a code on a phone on top of a password — is one of the single most effective defences against a stolen password turning into a breach, and increasingly it’s something the DSPT and cyber-insurance underwriters expect to see switched on.
Backups and disaster recovery
Ask three specific questions: how often are backups taken, where are they stored, and — critically — when did you last successfully test a restore? With a cloud system this is the vendor’s job and they should be able to describe it confidently. With an on-premise system, it’s almost always yours, and “we’ve got a backup drive somewhere” is not a disaster recovery plan.
What happens to your data — for you, and when you leave
Two parts. First, can the system support patient rights without a fortnight of manual work? When someone makes a subject access request or asks to be deleted, you need to find, export, or remove their data cleanly. Second, when you eventually switch providers, can you get a full, usable export of your own data? A vendor who makes leaving painful is telling you how they think about your data while you’re still a customer.
Ten questions to ask in the demo
Print these. Ask every vendor the same ten, word for word, and write down the answers so you can compare like with like.
1. Where is our patient data physically stored, and is it in the UK or EU?
2. Is data encrypted both in transit and at rest?
3. Which security accreditations do you hold — Cyber Essentials, ISO 27001, SOC 2 — and can you send the certificates?
4. Does the system support role-based access so staff only see what their job needs?
5. Can we turn on multi-factor authentication for logins?
6. Is there an audit trail showing who viewed or edited each patient record?
7. How often are backups taken, where are they held, and when did you last test a restore?
8. If we have a breach, what’s your role and how quickly will you notify and support us?
9. How does the system help us handle a subject access request or a deletion request?
10. If we leave, how do we get a complete export of our own data, and in what format?
You’re not trying to catch anyone out. You’re listening for the difference between specific, confident answers and a reach for the brochure.
Five red flags
Some answers should make you slow right down.
“We’re fully GDPR compliant” — and nothing more. If that’s the whole answer, they’ve told you they market security rather than build it. Compliant systems can describe how.
No named accreditation. If a vendor can’t point to Cyber Essentials, ISO 27001, or an equivalent, you’re trusting their word with no external check behind it. For special category health data, that’s a lot to take on faith.
Backups described vaguely, or “that’s your responsibility” with no help offered. On an on-premise system the responsibility genuinely may be yours — but a good vendor helps you set it up properly rather than shrugging.
Shared logins as the norm. If the system can’t realistically run with one account per staff member, your audit trail is fiction and your access control doesn’t exist. “Everyone just uses the front-desk login” is a breach waiting to be investigated.
Friction when you ask about leaving. If “how do we export everything if we go?” gets a defensive non-answer, assume the data feels like theirs, not yours.
Cloud or on-premise: the honest version
This is the decision underneath all of it. An older server-in-the-back-office system can be run securely — but every part of that security becomes your job: the patching, the firewall, the off-site backups, the physical lock on the door, the encryption, the restore tests. Most independent practices simply don’t have the time or the IT support to do all of that to the standard the data deserves, which is how you end up with a single unencrypted backup drive next to the server it’s backing up.
A well-built cloud system moves the heavy lifting — data-centre security, encryption, automated and tested backups, patching — to a provider who does it at scale. You still own your responsibilities (access control, staff training, sensible use), but you’re not personally responsible for keeping a server alive. For most independents in 2026, that’s the more defensible position, and it’s a large part of why we built Raven Vision as a cloud-based system from the start.
What good looks like in 2026
A practice management system you can stand behind on security stores patient data in UK or EU data centres, encrypts it in transit and at rest, and holds real accreditations it’ll show you without being chased. It gives every staff member their own login with role-appropriate access, supports multi-factor authentication, and keeps an audit trail you could actually put in front of the ICO. It backs up automatically to a separate location, tests those backups, and makes patient rights — access, correction, deletion — something you handle in minutes rather than days. And it treats your data as yours, including when you decide to leave.
Where Raven Vision sits
Raven Vision was built by an optometrist, Shaukat, inside his own practices before it was ever sold to anyone else — which means the security model was designed around how a real independent practice actually handles patient data day to day, not around a tick-box exercise. It’s cloud-based, so encryption, automated backups and infrastructure security are handled centrally rather than being left on your shoulders. The patient management system keeps structured records with the audit trail and role-based access UK GDPR expects, and billing and NHS streams live in the same secure environment through the billing and finance module rather than being scattered across spreadsheets and shared drives where data quietly leaks.
We’re also clear about the shared-responsibility line: we secure the platform, and we help you use it in a way that stands up to scrutiny — including the DSPT questions you may be answering before the end of this month. No padlock-slide hand-waving.
If data security has been the slide you nodded through in every other demo, make it the one you actually dig into. Book a demo and ask us all ten questions above — and see exactly what’s included in the £149/month plan, with no setup fee and no lock-in. Your patient list is the most valuable and most sensitive thing your practice owns. The software that holds it should be the part you’re most confident about, not the part you skipped.
