Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

DSPT and UK GDPR: how they relate

The Data Security and Protection Toolkit (DSPT) and UK GDPR are closely related, and people often ask whether doing one covers the other. The short answer is that they overlap a great deal but aren’t identical. This guide explains how they fit together so you can use your effort on one to strengthen the other.

Two different things doing similar work

UK GDPR (alongside the Data Protection Act 2018) is the law that governs how you handle personal data. It’s overseen by the Information Commissioner’s Office (ICO) and applies to almost every organisation, whatever sector.

The DSPT is an annual online self-assessment run by NHS England for organisations that handle NHS health and care data or use NHS systems. It isn’t a law in itself — it’s a way of evidencing that you meet a set of data-security and information-governance expectations, many of which flow directly from data protection law.

So UK GDPR sets the legal obligations; the DSPT gives you a structured, NHS-recognised way to demonstrate you’re meeting the security and governance side of them.

Where they overlap

A great deal of what the DSPT asks for is also required, in substance, by UK GDPR:

ThemeUK GDPR expectationReflected in the DSPT
AccountabilityA named person responsible for data protectionGovernance assertions
RecordsA record of processing activities (ROPA)Information asset register
SecurityAppropriate technical and organisational measuresCyber and access controls
TrainingStaff aware of their responsibilitiesAnnual training assertions
BreachesReport notifiable breaches to the ICO within 72 hoursIncident management assertions
SuppliersContracts with processorsSupplier assurance assertions

Because of this overlap, the work you do for one feeds the other. The same information asset register, the same training log, and the same breach procedure support both your DSPT submission and your UK GDPR compliance.

Where they differ

They aren’t interchangeable, though:

  • Scope. UK GDPR covers all personal data you hold — staff, suppliers, marketing contacts — not only NHS health data. The DSPT focuses on data security and information governance in the NHS context.
  • Authority. UK GDPR is enforced by the ICO with legal penalties. The DSPT is an NHS assurance mechanism tied to your access to NHS systems and to commissioner expectations.
  • Format. The DSPT is a specific annual self-assessment with a 30 June deadline. UK GDPR is an ongoing legal duty with no single form to complete.

In practice this means completing the DSPT does not automatically make you fully UK GDPR compliant, and being broadly GDPR-aware doesn’t automatically complete your DSPT. They reinforce each other rather than replace one another.

Using one to strengthen the other

The most efficient approach is to treat them as a single, joined-up programme of work:

  1. Build your foundations once. A solid information asset register, ROPA, policies, training log and breach procedure serve both.
  2. Map DSPT assertions to your GDPR records. Our DSPT evidence checklist shows how the same evidence supports multiple assertions.
  3. Keep everything live. Reviewing your records through the year — as set out in our DSPT deadline and annual cycle guide — keeps both your DSPT and your GDPR position current.
  4. Close gaps that count twice. Fixing an untested backup or a missing leavers process improves both your security posture and your legal compliance.

Don’t forget the cyber angle

The security measures UK GDPR requires, and the DSPT’s technical assertions, both align well with Cyber Essentials — a scheme covering the basics of good cyber hygiene. Certification gives you independent evidence that supports all three. Our guide on how the DSPT and Cyber Essentials relate explains this, and the glossary covers any unfamiliar terms.

A common misunderstanding worth clearing up

Because the two overlap so much, some providers assume that a completed DSPT is a certificate of full GDPR compliance, or that registering with the ICO makes the DSPT unnecessary. Neither is true. The DSPT evidences a specific set of data-security and information-governance expectations in the NHS context; it doesn’t cover every corner of your legal duties, such as how you handle subject access requests or your lawful basis for marketing. Equally, paying your ICO data protection fee is a legal requirement but says nothing about whether your NHS data security is sound. Seeing them as complementary — each covering ground the other doesn’t fully reach — keeps you on the right side of both.

Building a single evidence base

The practical upshot is that you should aim to build one well-organised evidence base that serves both regimes, rather than maintaining two parallel sets of paperwork. Your data protection policy, information asset register, record of processing activities, training log, breach procedure and supplier contracts are all documents that both your DSPT and your UK GDPR position draw upon. Reviewing them once a year, keeping them current, and storing them together means that whether you’re facing a DSPT renewal or an ICO query, the answer is already to hand. This joined-up approach is not only more efficient — it also tends to produce better, more consistent evidence, because you’re maintaining a single source of truth rather than reconciling two.

Check where you stand

Our DSPT readiness checker gives you a quick sense of your DSPT position, which in turn highlights areas of your wider data protection worth reviewing.

How we can help

Seen together, the DSPT and UK GDPR are less daunting than they first appear — the same groundwork serves both. We offer a clear, fixed-fee engagement that joins up your data protection and DSPT work, so you’re not doing the same thing twice, and supports you through to submission. Explore our DSPT service or get in touch for a friendly, no-obligation chat.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.