In 2026, multi-site care homes in the UK must comply with UK GDPR, complete the NHS Data Security and Protection Toolkit (DSPT) each year if they handle NHS-funded care data, implement the technical controls required under Cyber Essentials, and meet Care Quality Commission expectations around data protection and system reliability.

For many care groups, depending on team size, this can mean managing 50 to 150 staff accounts and 70 to 200 connected devices per location, including desktops, laptops, tablets, clinical systems and mobile phones. Every single account and device, regardless of volume, must meet the same data protection, access control and security monitoring standards.

Under UK GDPR, the Information Commissioner’s Office can issue fines of up to £17.5 million or 4 percent of global annual turnover, whichever is higher. Beyond financial penalties, a serious breach can trigger enforcement action, reputational damage and increased regulatory scrutiny. For care providers, the operational impact often outweighs the headline fine.

Let’s break down what this means in practical terms.

1. GDPR – Data Protection and Access Controls

Care homes process some of the most sensitive categories of personal data defined under UK GDPR, including health information. This is classified as special category data and carries enhanced protection requirements.

At a minimum, multi-site providers must demonstrate:

• Lawful data processing: You must clearly identify your lawful basis for processing personal data, often a combination of legal obligation and provision of health or social care. This must be documented and understood at management level.
• Encrypted data storage and transmission: Data at rest on servers, laptops and mobile devices should be encrypted. Email and file sharing must use secure, encrypted channels. Unsecured email accounts for care plans or medication records create immediate risk exposure.
• Role-based access permissions: Staff should only access information necessary for their role. A carer does not require the same system permissions as a registered manager or finance administrator. This requires structured user groups and consistent onboarding and offboarding processes across every site.
• Secure email and file sharing: Many breaches stem from misdirected emails or oversharing of files. Controls such as data loss prevention policies and restricted sharing settings within Microsoft 365 help reduce these risks.
• Defined data retention policies: Care providers must retain records in line with legal and regulatory requirements, then securely dispose of them when retention periods expire. Keeping data indefinitely increases liability.
• Breach reporting within 72 hours: If a personal data breach poses a risk to individuals, it must be reported to the ICO within 72 hours of becoming aware of it. That means you need internal detection and escalation processes that work quickly, including across multiple locations.

In a care setting, compliance is inseparable from safeguarding. Residents and their families expect discretion and professionalism. Regulators expect evidence.

2. Data Security and Protection Toolkit (DSPT)

If your organisation accesses NHS systems or handles NHS-funded patient data, completion of the Data Security and Protection Toolkit is mandatory.

The DSPT is an annual online self-assessment developed by NHS England. It measures organisations against the National Data Guardian’s 10 data security standards. Many providers underestimate its depth until they begin gathering evidence.

Key requirements include:

• Annual self-assessment submission: Organisations must assess themselves against defined standards and publish their attainment level each year.
• Documented security controls: You must provide evidence of policies, technical safeguards and governance processes. This includes risk assessments, access controls and supplier management.
• Staff training: All staff must complete appropriate data security awareness training annually. Records of completion must be maintained and auditable.
• Multi-factor authentication: Where available, especially for remote access and privileged accounts, multi-factor authentication is expected. This is increasingly treated as baseline rather than optional.
• Secure, tested backups: Backups must be encrypted, regularly tested and protected against ransomware. Simply having a backup system is not sufficient if restoration has never been verified.
• Incident response planning: You need a documented incident response plan that defines responsibilities, reporting processes and communication procedures.

For multi-site providers, coordinating evidence collection across locations can be time consuming. A structured approach, with central oversight and consistent documentation templates, makes annual submission far more manageable.

3. Cyber Essentials Technical Controls

Cyber Essentials is a UK government-backed certification scheme focused on five core technical controls. While not legally mandatory for all care homes, it is increasingly expected by partners, insurers and commissioners.

The five controls are:

• Firewalls and boundary security: All internet connections must be protected by properly configured firewalls. Default passwords on routers or network devices are a common audit failure.
• Secure configuration: Systems should be configured to reduce vulnerabilities. This includes disabling unused services, removing unnecessary software and changing default settings.
• User access control: Accounts must be unique to individuals. Administrative privileges should be tightly restricted and reviewed regularly.
• Malware protection: Anti-malware solutions must be deployed and kept up to date across all devices. Centralised monitoring helps ensure coverage is consistent across sites.
• Patch management: Security updates must be applied within defined timeframes. For critical vulnerabilities, this is often within 14 days under Cyber Essentials requirements.

Certification demonstrates that a baseline level of cyber hygiene is in place. It can also support cyber insurance applications and reassure stakeholders that security is being taken seriously.

4. CQC Expectations Around IT and Security

The Care Quality Commission does not publish an “IT checklist,” yet technology plays a clear role in inspection outcomes.

Inspectors will expect to see:

• Robust data protection policies: Policies should reflect actual practice, not generic templates stored in a folder. Staff should understand how information is handled day to day.
• Clear incident handling procedures: If a data breach or system outage occurs, inspectors may ask how it was managed and what lessons were learned.
• System reliability: Electronic care planning systems must be available when staff need them. Frequent downtime can directly affect care quality and medication safety.
• Business continuity planning: There should be documented plans for IT failure, cyber incidents or loss of connectivity. This includes access to critical resident information during outages.
• Audit trails for patient data: Systems should log who accessed or amended records. Audit trails support safeguarding investigations and demonstrate accountability.

Technology underpins care delivery. When it fails, operational risk increases quickly. CQC recognises this, even if the framework is broader than IT alone.

5. Managing Compliance Across Multiple Locations

Single-site compliance is complex enough. Multi-site operations introduce additional layers of coordination.

Practical steps include:

• Centralised Microsoft 365 management: Managing identities, email security and device policies from a single tenant reduces inconsistency and improves visibility.
• Unified device policies: Standardised security baselines across all laptops, desktops and mobile devices prevent configuration drift between locations.
• Shared audit logging and monitoring: Central log collection enables faster detection of unusual activity across the estate, rather than relying on individual site managers.
• Standardised security stack: Using the same firewall models, endpoint protection and backup solutions across sites simplifies support and evidence gathering.
• Central compliance documentation: Policies, risk assessments and training records should be maintained in a structured, accessible repository. When DSPT submission or CQC inspection arises, documentation should not require a last-minute scramble.

Multi-site growth often happens quickly through acquisition or expansion. Without deliberate standardisation, technical environments fragment. Compliance then becomes reactive rather than controlled.

Why PS Tech?

We work with regulated organisations that operate under constant scrutiny. Compliance is rarely about a single framework. It sits at the intersection of GDPR, DSPT, Cyber Essentials and inspection readiness.

PS Tech is Cyber Essentials certified and specialises in Microsoft 365 environments. Our approach focuses on building secure, centrally managed platforms that support multi-site oversight without adding operational friction. For urgent issues, we operate with a 10-minute SLA so that incidents are contained quickly rather than allowed to escalate.

Care providers face enough operational pressure without wrestling with fragmented IT compliance. A structured, compliance-first foundation gives leadership teams clarity, visibility and confidence as regulatory expectations continue to evolve.