Skip to content
360 Cyber Compliance

DSPT · 1 July 2026

The DSPT deadline and annual cycle: planning ahead

The Data Security and Protection Toolkit (DSPT) isn’t a one-off form — it’s an annual commitment that resets every year. Understanding the cycle, and planning around it, is the difference between a calm renewal and a June scramble. This guide explains the key dates and how to spread the work sensibly.

The headline date: 30 June

The standard annual DSPT deadline is 30 June. By that date, organisations that handle NHS health and care data or use NHS systems are expected to have completed their submission for the year. After the deadline passes, the toolkit rolls into a new assessment year and the clock starts again.

Because it’s annual, a submission never “stays done”. The controls you evidenced last year need re-confirming, your training needs refreshing, and any gaps you flagged should now be closed.

Why deadlines can differ

While 30 June is the standard deadline, timing can vary depending on your organisation type and how NHS England structures the assessment year. Some larger organisations work to additional milestones during the year. The safest approach is to confirm the current deadline that applies to your organisation on the official toolkit rather than assume, and to treat 30 June as your working target unless told otherwise.

Baseline versus full submission

You may come across the idea of a baseline or interim checkpoint versus a full submission:

  • A baseline style checkpoint is about demonstrating that core, essential controls are in place — the foundations of good data security.
  • A full submission is the complete assessment against all the assertions that apply to your organisation profile.

The exact structure is set by NHS England and can change between years, so read the current requirements when you log in. Whatever the labels, the principle holds: get the fundamentals solid first, then complete the wider assessment.

A sensible annual plan

Spreading the work across the year removes almost all of the pressure. Here’s a realistic rhythm you can adapt.

WhenFocus
Just after submittingNote every gap you flagged and any “just in time” fixes
AutumnClose outstanding gaps; refresh policies
WinterRun and record a backup restore test
Early springCheck staff training is current; chase anyone overdue
SpringReview the information asset register and supplier agreements
April–MayComplete the assessment while there’s time to fix issues
By 30 JuneSubmit with evidence stored and ready

Even a light touch each quarter keeps you far ahead of a single annual push.

Build a simple evidence routine

The organisations that find renewal easiest are the ones that keep a live evidence pack throughout the year. Store your training log, asset register, policies, backup test records and incident log in one place, each with a “last reviewed” date. When renewal comes round, you’re refreshing dates and filling small gaps rather than starting from scratch. Our DSPT evidence checklist sets out exactly what to keep.

Don’t lose sight of the target status

Meeting the deadline is only half the picture — you also want to reach the right outcome. Submitting on time but only reaching Approaching Standards still leaves work outstanding. Aim to reach Standards Met before the deadline, giving yourself a buffer to resolve anything that isn’t quite there. Our guide to Standards Met vs Approaching Standards explains the difference, and what happens if you miss the deadline covers the consequences of slipping.

Give yourself a buffer before 30 June

One of the most common causes of a stressful June is aiming to finish on the deadline rather than before it. If your last task is to test a backup or chase the final few staff through their training, and something doesn’t work first time, you’ve left yourself no room. Set your own internal target a fortnight ahead of 30 June. That buffer turns “we just made it” into “we’re comfortably done”, and it means an unexpected problem — a supplier who’s slow to confirm assurance, a policy that needs sign-off — doesn’t derail your submission.

Keep a short handover note

Staff move on, and the person who completed the DSPT this year may not be the one doing it next year. A brief handover note — where the evidence lives, who owns each control, the login details held securely, and any quirks about your organisation profile — protects you against losing that knowledge. It’s a small habit that saves a great deal of rediscovery each cycle and keeps your annual rhythm intact regardless of who’s at the wheel.

Review, don’t just repeat

The annual reset is also a genuine opportunity, not merely an administrative chore. Each year your systems, suppliers and staff change, and the reset is a natural prompt to check that your evidence still reflects reality. Has a new care planning system come in? Have you taken on more mobile devices? Has a key supplier changed? Treating renewal as a quick review rather than a copy-paste of last year keeps your data security genuinely current, which is the whole point of the exercise.

Check where you stand

If you’re not sure how much work is ahead of you, our DSPT readiness checker gives you a quick read in a few minutes. Any unfamiliar terms are explained in the glossary.

How we can help

Planning the year is straightforward once you know the rhythm, but many care teams simply don’t have the time to keep on top of it. We offer a clear, fixed-fee engagement that helps you build a repeatable annual routine, close gaps early, and reach your submission with time to spare. If that would help, explore our DSPT service or get in touch for a relaxed, no-pressure conversation.

Need help in practice? See our DSP Toolkit (DSPT) service.

Need a hand with this?

Book a free, no-obligation readiness check.