Talk to one of our ISO Consultants on 020 3018 0026
Services > DSPT

We are DSPT consultants helping organisations meet the requirements of the NHS Data Security and Protection Toolkit with clarity and confidence

Our mission is to simplify DSPT compliance, transforming it from a tick-box exercise into a genuine opportunity to build trust, improve data security and protect your organisation’s reputation. Whether you’re a small care home, a growing tech supplier or a healthcare provider navigating complex data flows, we’re here to help guide you through the process. We’ve supported clients of varying organisational sizes across the UK to complete their DSPT assessments, implement meaningful security controls and independently verify their approach.

As compliance specialists, we help translate the NHS’s data security standards into practical, manageable processes tailored to the scale of your organisation. No jargon. No unnecessary overhead. Just straightforward support to get you compliant.

What is the NHS Data Security and Protection Toolkit?

The fundamentals of the DSP Toolkit

The DSPT is a mandatory requirement for NHS suppliers, care providers, GP practices, and other health and social care organisations. It addresses compliance with the National Data Guardian’s 10 security standards, which align with UK GDPR and cyber best practices, and requires annual submission.

Data Protection and Confidentiality

The DSPT ensures your organisation handles patient data lawfully, fairly, and transparently. It reinforces privacy principles and helps demonstrate compliance with UK GDPR and the Data Protection Act 2018.

Staff Training and Awareness

Your team is your first line of defence. The DSPT requires all staff to receive up-to-date, annual training on data security, ensuring everyone understands their responsibilities when handling sensitive information.

Access Controls

Only the right people should have access to the right information at the right time. The DSPT supports implementation of robust access control policies that limit exposure and reduce the risk of unauthorised data access.

Incident Response

Preparedness is key. The DSPT requires that organisations have clear procedures in place for identifying, reporting, and managing data breaches and cyber incidents — helping minimise harm and ensure timely recovery.

Secure IT Systems

The toolkit focuses on maintaining secure systems through patching, end point configurations, and regular checks. It encourages organisations to stay resilient against common threats like ransomware and phishing.

Data Flow Mapping

Understanding how data moves through your organisation is crucial. The DSPT requires documentation of data flows to ensure risks are assessed, third-party access is understood, and appropriate controls are in place.

Risk Management and Accountability

Risk assessments are at the heart of the DSPT. You’ll be asked to identify risks, evaluate their impact, and implement controls to mitigate them.

Continuous Assurance

Rather than a one-off exercise, the DSPT promotes an ongoing commitment to data security. It helps build a culture of review, improvement, and accountability across all levels of your organisation.

Want to know more, read our DSPT Guide.

Independent DSPT Audit

Certain NHS organisations and IT suppliers are now required to undergo an independent audit of their Data Security and Protection Toolkit (DSPT) controls. This mandatory requirement is to ensure compliance with data security and protection standards.

Who Needs an Independent DSPT Audit?

  • NHS Trusts: Including acute, foundation, ambulance, and mental health trusts.
  • Integrated Care Boards (ICBs): Responsible for planning and commissioning health services within specific geographic areas.
  • Independent Providers as Operators of Essential Services: Crucial for the functioning of essential services.
  • IT Suppliers: Those meeting specific criteria, such as £10m+ annual revenue and 50+ employees.

Why is the Independent Audit Required?

The NHS Standard Contract and DSPT requirements mandate these audits to ensure organisations demonstrate compliance with data security and protection standards. The independent audit offers:

  • An objective assessment of cyber and information security risks.
  • Identification of gaps between self-assessment and actual performance.
  • Valuable insights into the cyber security and information governance across the organisation.

How can twoSB support?

Our DSPT audit services are designed to support organisations with the requirement for independent audit. We take a comprehensive yet pragmatic approach to auditing, to help bring valuable insights into you practices and highlight areas for development.

Your Organisation Is Unique – Your Approach to the DSPT Should Be Too

We don’t believe in a one-size-fits-all approach to DSPT compliance. Off-the-shelf solutions can lead to policy overload and confusion. Instead, we tailor every element to reflect the size, structure, and real-world needs of your organisation.

We begin by understanding how you operate and what your priorities are — whether that’s NHS contract readiness, meeting CQC expectations, or simply building a more secure culture. This means our DSPT support focuses on areas that will bring the most benefit and clarity to your team.

We typically deliver a series of tailored workshops or calls, covering key DSPT requirements in each session. We walk you through what’s needed, adapt it to your workflows, and leave you with clear actions. Each follow-up session builds on your progress — reviewing evidence together and ensuring you’re on track for a confident submission.

Always Available to Support You

We’re always on hand when you need us — no gatekeeping, no hidden fees. We believe in being generous with our time and fully invested in your success. Reach out today and let’s map out your DSPT strategy together.

Talk to us now