Whilst the overall deadline for the Data Security Protection Toolkit (DSPT) submission is not until June 2025, an interim assessment applies to NHS Trusts, Integrated Care Boards, DSHC Arm’s Length Bodies and Commissioning Support Units.  

It is required to be submitted on 31st December 2024, reflecting the organisation’s position with regards to completion of the toolkit, at that time.  

The interim assessment is not assessed but is intended to showcase that organisations are underway with the DSPT. It also works to highlight organisations that may need further support or guidance prior to submitting the completed toolkit in June.  

How early should organisations begin working on their DSPT completion? 

Regardless of whether an organisation falls under the requirements for the interim assessment, starting early on the DSPT is always recommended.  

It can take anything from a matter of a few days to many weeks to complete a submission and that depends on several factors; 

• The size of an organisation can make the DSPT submission much more complex to complete due to requiring input from several departments.  

• If there are many systems in place, this may mean that gathering the necessary information will take longer, particularly since completing the toolkit will need data gathered from various areas of the business.  

• Familiarity of the toolkit is important, for those new to the DSPT, completing the submission may take much longer to understand the questions and complete the relevant documentation.  

• One of the key factors to the length of time it takes to complete the DSPT is how strong organisations are with their data protection measures already in place.   

• If the relevant policies and procedures are already in place then much of the documentation will be easy to locate, reducing the length of time required to complete.  

What is the process of creating the DSPT? 

1. Preparation: Collecting documents, reviewing policies, and gathering the necessary data. This could take a few hours to several days.  
2. Filling Out the Toolkit: Depending on the size of the organisation, this could also take from a few hours to a few days and relies on the collection of documents being thorough and complete.  
3. Review and Finalise: Ensuring that the information provided is accurate, up-to-date, and complies with regulations may take further hours, days or even weeks, especially if input is needed from others in the organisation.  

In short, the DSPT process can take anything from a matter of days to several weeks if not longer, however, it is important to allocate enough time for reviewing and potentially updating any documentation. One method of achieving this is through a DSPT audit. 

A DSPT audit allows an independent review of a DSPT submission. The toolkit will be analysed for how well it meets the necessary requirements for submission as well as how compliant the organisation is regarding relevant data protection legislation.

It is a good option to allow due diligence prior to completing the final submission and, in many cases, allows feedback for organisations who may not have reached ‘standards met’ but may wish to achieve this prior to submitting their DSPT.  

Our team at BLS Stay Compliant regularly assist our clients with their DSPT submission, whether that is through training, reviewing and auditing the toolkit or even completing the DSPT on behalf of an organisation.

We are pleased that our clients return to us year-on-year for this service, allowing them the peace of mind in not only knowing that the toolkit will be completed thoroughly and accurately, within the time frame but also that their data protection measures are appropriate, with recommendations on how to improve as the legislation develops.

If it this is something your organisation would like to hear more about, please click here to find out more about our services available of do get in touch if you would like to know more.