top of page

A Complete Guide to the NHS DSPT for HealthTech Companies (and How to Get Support)

  • Writer: Joe Stock
    Joe Stock
  • Mar 11
  • 3 min read

Everything you need to know to meet the 30 June 2026 deadline with confidence.

For organisations that handle NHS data, completing the NHS Data Security and Protection Toolkit (DSPT) is a mandatory self-assessment tool that must be completed annually. Yet for many healthtech teams, the DSPT can feel confusing, time‑consuming, and difficult to navigate without specialist guidance.


This article breaks down the DSPT in clear, practical language and provides step‑by‑step insight into what’s required. If you're a healthtech founder, digital health supplier, NHS partner, or any organisation needing to process NHS data, this guide will help you understand what the DSPT is, how to complete it, and how Iniver can support you.


What Is the DSPT?

The Data Security and Protection Toolkit is a self‑assessment framework that demonstrates your organisation is handling NHS data safely, legally, and in line with national expectations.


It applies to all organisations processing NHS data, from early‑stage healthtech startups to large digital suppliers


Completing the DSPT is essential for:

  • Access to NHS systems

  • Maintaining NHS partnerships

  • Contract renewals

  • Securing new NHS customers

  • Demonstrating trust and compliance to commissioners


DSPT is set against the 10 NHS Data Security Standards. Whilst there is some overlap with the UK General Data Protection Regulation (GDPR), it does not make you in itself 'GDPR Compliant'.


Why DSPT Compliance Matters

Failing to complete the DSPT can lead to:

  • Loss of access to NHS data

  • Blocked integrations or deployments

  • Contract delays

  • Audit findings

  • Reputational risk

  • Barriers to scaling into the NHS market


For healthtech companies, especially those seeking NHS adoption, DSPT compliance signals maturity, trustworthiness, and robust handling of sensitive data.


How to Get Started With DSPT


1. Get an ODS Code & Register

Your first step is registering your organisation on the DSPT portal and obtaining an ODS code.


2. Identify Your Organisation Category

This is important - your category defines how many requirements you must meet.


3. Choose Your Level of Completion

You can either complete:

  • Standards Met (mandatory requirements only), or

  • Standards Exceeded (full completion)

Choosing the right level depends on your risk profile, client expectations, and internal capability.


What’s Involved in Completing the DSPT?

The DSPT assessment is based on 10 key areas of focus, each containing multiple requirements.

These cover areas such as:

  • Governance

  • Training

  • Incident management

  • Technical security

  • Data protection policies

  • Supplier assurance


Some requirements require evidence uploads, while others just need a formal confirmation.


Important for HealthTech Suppliers

If you submit as under the IT Supplier category, you must undergo an independent DSPT audit. This is often the most demanding part for digital health companies.


Audit Oversight

Although DSPT is self‑assessment, NHS bodies may still audit your submission in specific circumstances.


Key DSPT Deadlines & Annual Cycle

  • DSPT must be completed every year

  • The next deadline: 30 June 2026 

  • Requirements change annually, so don’t assume last year’s submission is enough


If you hold Cyber Essentials Plus or ISO 27001, you’ll have fewer DSPT requirements to complete


Why You Should Never Leave DSPT to the Last Minute

The DSPT can take longer than expected, especially if:

  • Evidence needs to be gathered

  • Policies require updating

  • Technical controls need improvement

  • You're submitting as an IT Supplier


You should ideally begin your DSPT review at least two months before the deadline.


How Iniver Helps You Complete DSPT Smoothly

Whether you're a first‑timer, returning submitter, or an organisation needing an independent audit, Iniver provides scalable support packages to get your DSPT completed without stress.


Our DSPT Support Includes:

  • Full onboarding and category selection

  • Gap analysis and action planning

  • Drafting and updating evidence

  • Building or reviewing required policies

  • DSPT portal management

  • Pre‑submission quality checks

  • Independent audit for IT Suppliers

  • Ongoing advice on compliance improvements


We support healthtech companies, NHS‑connected organisations, and digital suppliers at every level of maturity.


Ready to Complete Your DSPT With Confidence?

If you want DSPT done accurately, efficiently, and with an experienced partner, we’re here to help.


Contact Iniver

Email hello@iniver.co.uk, use our 'Contact Us' form or call+44 7356 251 922


✔ Support for first‑time submitters

✔ Reviews for experienced teams

✔ Full audit‑ready completion packages


Let Iniver take the complexity out of the DSPT so you can stay focused on delivering exceptional healthtech innovation. View our packages at here.

bottom of page