How to get DSPT for SMEs — what it is, who needs it

DSPT sounds like one of those dry acronyms that exists to keep managers awake. In plain terms, the Data Security and Protection Toolkit (DSPT) is the self-assessment NHS organisations and their suppliers use to show they take patient data security seriously. For UK SMEs that handle NHS patient information — or want to win NHS work — it matters more than you might think.

Why your business should care

This isn’t just IT box-ticking. DSPT affects whether you can bid for contracts, stay on approved supplier lists and keep existing partnerships. It also affects insurance, procurement checks and, most importantly, how customers perceive your competence with confidential data.

Ignore it and you risk losing work. Do the minimum and you may still be vulnerable to data incidents that cost time, money and reputation. Get it right and you win credibility: fewer procurement hassles, smoother audits and a stronger position in tendering.

Who actually needs DSPT?

Not every UK business needs it. The DSPT is aimed at organisations that process NHS patient data or access NHS systems. That includes:

• Primary care contractors and their suppliers;
• Local services and community providers that handle patient information;
• Third-party suppliers and software vendors working with NHS data;
• Any SME that processes patient-identifiable data on behalf of an NHS organisation.

We see this most often when a small IT firm, software supplier or a healthcare support company discovers they’re part of an NHS supply chain and suddenly need evidence their data practices are fit for purpose.

What the DSPT actually involves

The Toolkit is a structured self-assessment of policies, processes and technical controls. It asks for evidence that you:

• Understand who can access data and why;
• Have proportionate controls for access, encryption and backups;
• Train staff on data handling and information governance;
• Can spot, report and learn from security incidents;
• Maintain business continuity and third-party oversight.

That’s a high-level list. In practice you’ll be collecting policies, screenshots, logs and simple statements showing how you meet each requirement. The version that actually works in practice balances documented controls with sensible technical measures — not a drawer full of policies nobody follows.

How to get DSPT done — a pragmatic step-by-step

SMEs don’t need a parade of consultants to complete DSPT. A focused approach usually works best:

1. Scope it

Start by mapping what patient data you hold, where it is and which systems or subcontractors touch it. If a supplier handles data for you, include them in the scope.

2. Gap assessment

Run through the Toolkit questions and mark where you already comply and where you don’t. This is a checklist job: policy gaps, missing controls, or training you haven’t documented tend to be the common fails.

3. Prioritise fixes

Tackle quick wins first. Policies and basic staff training are inexpensive and make a big difference. Next, fix glaring technical gaps — access control, strong passwords, two-factor where practical, and reliable backups.

4. Collect evidence

Evidence can be simple. Screenshots, dated policy documents, training logs and configuration notes often do the trick. Make sure what you show matches what you claim in the assessment; discrepancies are the fastest route to a failed or questioned submission.

5. Submit and maintain

Complete the online self-assessment and save copies of everything. DSPT is not a one-off; it’s an ongoing demonstration. Schedule reviews, refresh training and treat it as part of regular housekeeping.

Common traps and how to avoid them

Some mistakes are so common they deserve a warning sign:

• Over-reliance on a single person. If only one staff member understands your controls, you’re fragile.
• Evidence mismatch. Saying you do something and not having proof is worse than saying nothing.
• Ignoring subcontractors. If your cloud provider or service partner has weak controls, that’s your problem too.
• Thinking it’s purely technical. Policies and staff behaviour matter as much as firewalls.

We see this most often when teams treat the DSPT as an IT-only task. In reality it’s a business process that touches HR, operations and procurement as well.

Options for SMEs — who actually does the work?

There are three practical routes:

1. Do it yourself. Cost-effective if you have competent staff and simple systems. Expect a focused few days of work if you’re organised.
2. Hire a short-term consultant. Useful when internal time is limited or you need help translating technical controls into evidence.
3. Use an IT partner for an ongoing service. That’s the version that actually works in practice for many SMEs: the partner implements controls, maintains evidence and helps with updates — useful if you prefer to reduce internal overhead.

If your business supports healthcare customers or you need help combining IT control with NHS expectations, consider getting ongoing help from specialist providers; for example see healthcare IT support that understands both security and practical service delivery.

How long and how much?

The simple answer: it depends. A tidy small business with clear processes can complete the assessment quickly. A business with a patchwork of systems, or one that hasn’t kept policies up to date, will take longer. Cost-wise, small fixes and staff time are often enough. If you need technical change or external consultancy, budget for that — but remember the cost of not being able to bid for NHS work can be far higher.

Keeping it useful instead of ceremonial

DSPT shouldn’t be a compliance hamster wheel. Treat it as a tool to reduce operational risk. Make your policies usable, train people practically, and use incidents as a learning loop. The goal is resilience: less downtime, fewer patient-impacting incidents and more confidence when tendering.

When you approach the DSPT with a business-first mindset you’ll find the benefits aren’t just a green tick on a form — they translate into credibility, smoother procurement and fewer surprises.

Next steps

Start by mapping where patient data lives in your business and run a quick gap check against the Toolkit. If that feels like too much to manage in-house, consider a short consultancy sprint to get you over the initial hump, or hand the operational burden to a trusted IT partner so you can focus on running the business.

If you want less hassle, more credibility and a calmer procurement process, put a simple DSPT plan in place. It saves time, protects contracts and gives customers confidence — which, in the end, is what keeps a business growing.

Related reading

• our healthcare it support guide
• How to Fix ‘Semble Login Issues’ — A Practical Guide for UK SMEs
• EMIS Web smartcard issues: How to stop them costing your practice time and money