Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

Common DSPT mistakes and how to avoid them

Most organisations don’t struggle with the Data Security and Protection Toolkit (DSPT) because the questions are hard — they struggle because a handful of avoidable slips creep in every year. This guide sets out the mistakes we see most often and how to steer clear of them.

1. Leaving it until June

The standard annual deadline is 30 June, and the toolkit resets each year. Treating it as a last-minute job almost always means rushed answers and thin evidence. Gathering training logs, testing a backup, or updating a policy all take longer than expected. Start early — ideally a couple of months out — so you have time to close gaps properly. Our guide to the DSPT deadline and annual cycle explains how to plan the year.

2. Answering optimistically instead of honestly

It’s tempting to confirm an assertion because you think the control should be in place. But the DSPT is a self-assessment you may be asked to evidence, and an over-confident answer you can’t back up is worse than an honest “not yet”. If a control isn’t fully in place, record it as a gap and put a plan against it. Honesty here protects you and gives you a genuine improvement roadmap.

3. Confusing “submitted” with “Standards Met”

Submitting the toolkit is not the same as reaching Standards Met. If you can’t yet confirm every mandatory assertion, you may only reach Approaching Standards, which flags outstanding work rather than full compliance. Know which status you are aiming for and what still stands between you and it — our guide on Standards Met vs Approaching Standards breaks this down.

4. No real information asset register

Many providers write generic answers without ever listing what data they actually hold. A proper information asset register — what personal and health data you keep, where it lives, and who owns it — underpins several assertions and your wider UK GDPR obligations. Skipping it leaves your answers unsupported.

5. Training that isn’t evidenced

Confirming that staff are trained is easy; proving it is where people come unstuck. You need a training log showing who completed data security and information governance training and when, plus evidence that new starters are covered at induction. A confident answer with no log behind it is a weak spot.

6. Forgetting the leavers process

Access control isn’t only about setting up accounts — it’s about removing them promptly when someone leaves. Old accounts that stay active are a genuine security risk and a frequent gap. Keep a simple joiners, movers and leavers record so you can show access is removed on time.

7. Untested backups

Scheduling a backup is not the same as knowing it works. If you’ve never restored from it, you can’t be sure your data is recoverable. Test a restore, note the date, and keep that evidence. This is one of the most common gaps we see and one of the easiest to fix.

8. Ignoring your suppliers

If a third party processes data on your behalf — a care planning system, payroll, an IT provider — their security is part of your risk. You should have processing agreements in place and some assurance that key suppliers handle data responsibly. Overlooking this leaves a blind spot the toolkit expects you to address.

9. Treating cyber controls as someone else’s job

Patching, anti-malware, secure device configuration and access controls all feature in the DSPT. Assuming “the IT company handles that” without evidence won’t satisfy the assertions. If you hold Cyber Essentials, several of these answers become straightforward — and you have independent proof.

10. Not keeping evidence for next year

The toolkit is annual, so anything you scramble to produce this year will be needed again. Storing your evidence in one place, with review dates, turns next year’s submission from a fresh ordeal into a quick refresh.

A quick self-check

MistakeQuick fix
Left until JuneStart two months early
Optimistic answersRecord honest gaps with a plan
Submitted, not metConfirm your target status
No asset registerList data, location and owner
Unevidenced trainingKeep a dated training log
No leavers processLog access removal
Untested backupsRestore and record the date
Suppliers ignoredCheck agreements and assurance
Cyber left to ITEvidence controls or certify
Evidence not keptStore it centrally with review dates

You can pressure-test your position quickly with our DSPT readiness checker, and the DSPT evidence checklist shows exactly what to gather. Unfamiliar terms are explained in our glossary.

The mistake behind the mistakes

If there’s a single root cause behind most of the slips above, it’s treating the DSPT as a one-off form rather than an ongoing reflection of how you run your organisation. When the toolkit is something you fill in each June and forget, gaps naturally accumulate: training drifts out of date, a supplier changes without anyone updating the paperwork, a backup goes untested for a year. When instead you treat it as a light, continuous habit — a quick quarterly check that your controls still hold — the annual submission stops being a source of stress and becomes a simple confirmation of good practice you already follow.

Turning mistakes into a checklist

The most useful thing you can do with a list like this is turn it into your own pre-submission review. Before you submit, walk through each item and ask honestly whether you can evidence it today. If you can, note where that evidence lives. If you can’t, record it as a gap with a date to fix it. This single pass catches the great majority of problems before they affect your status, and it leaves you with a tidy record you can build on next year. It’s a small discipline that repays itself many times over.

How we can help

Avoiding these mistakes is largely about knowing what to look for and giving yourself enough time. If you’d rather have an experienced pair of eyes on it, we offer a transparent, fixed-fee engagement that reviews your answers, flags weak evidence, and supports you through to submission. Take a look at our DSPT service or contact us for a straightforward conversation about where you stand.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.