Skip to content
360 Cyber Compliance

Data protection · 1 July 2026

UK GDPR vs DSPT: what's the difference?

UK GDPR and the Data Security and Protection Toolkit (DSPT) both concern the safe and lawful handling of personal data, so care providers often ask how they differ. The short answer is that one is the law and the other is a way of demonstrating you follow it within the NHS. UK GDPR is legislation that applies to almost every organisation; the DSPT is an NHS self-assessment that, among other things, helps you evidence your data-protection obligations. This guide explains both and how they fit together.

What each one is

The UK GDPR, alongside the Data Protection Act 2018, is the UK’s data-protection law. It governs how organisations collect, use, store and share personal data — from lawful bases and individuals’ rights to security, breach reporting and accountability. It applies to virtually every organisation that handles personal data, not just health and care. The regulator is the Information Commissioner’s Office (ICO), which can investigate complaints and issue enforcement action, including fines. Compliance is an ongoing legal duty, not a one-off exercise. Our data protection and GDPR service page covers what this means in practice.

The DSPT is a free, annual self-assessment published by NHS England, with a submission deadline of 30 June each year. Organisations that handle NHS patient data or connect to national systems are expected to complete it. It asks you to confirm and evidence that you meet a range of data-security and information-governance standards — many of which map directly onto UK GDPR requirements. It is a tool for demonstrating good practice to the NHS, not a law in its own right. See our guide what is the DSPT? for the detail.

Side-by-side comparison

FeatureUK GDPR (with DPA 2018)DSPT
What it isData-protection lawNHS annual self-assessment
Set byUK legislationNHS England
Enforced byThe ICONHS England (contractual expectation)
Applies toAlmost every organisationHandlers of NHS patient data
NatureLegal obligationAssurance mechanism
FrequencyOngoing, continuous dutyAnnual, deadline 30 June
Consequence of failureRegulatory action, finesLoss of NHS data-sharing standing
ScopeAll personal dataData security and information governance

The key differences

The defining difference is status. UK GDPR is the law — you must comply whether or not you ever complete a DSPT. The DSPT is a framework for demonstrating compliance within the health and care sector; it does not replace the law, it helps you show you are meeting it.

The second difference is who is affected. UK GDPR applies to almost everyone handling personal data, across every sector. The DSPT is specific to organisations working with NHS patient data or national systems. A small business with no NHS involvement still has full UK GDPR duties but has no reason to touch the DSPT.

The third is how they are enforced. UK GDPR is overseen by the ICO, an independent regulator with statutory powers. The DSPT is driven by NHS contractual expectations — failing to submit a satisfactory toolkit can affect your ability to share data with the NHS, but it is not the ICO issuing a penalty.

A fourth difference is timing and rhythm. UK GDPR compliance is continuous: your duties apply every day, and an obligation such as reporting a serious personal-data breach to the ICO within 72 hours does not wait for an annual cycle. The DSPT, by contrast, is a yearly submission with a fixed 30 June deadline. The two rhythms complement each other — the ongoing legal duty is the substance, and the annual toolkit is a scheduled moment to take stock and evidence that the substance is in place.

Which do you need?

If you handle personal data — and virtually every care provider does — you must comply with UK GDPR. That is not a choice. It underpins everything: your privacy notices, your lawful bases for processing, your handling of subject access requests, and your duty to report serious breaches to the ICO within 72 hours.

If you also handle NHS patient data or use national systems, you will additionally be expected to complete the DSPT each year. So for most care providers the honest answer is not “which one” but “both” — UK GDPR as the legal baseline, and the DSPT as the annual NHS-facing assurance built on top of it.

Can you need both — and how they relate?

Almost every care provider needs both, and they reinforce each other. Large parts of the DSPT exist precisely to help you evidence UK GDPR compliance. When the toolkit asks about your record of processing activities, staff training, breach procedures, access controls and supplier contracts, it is asking about the very things UK GDPR requires. Doing the DSPT well is, in effect, a structured annual health-check on your data-protection compliance.

The practical implication is that the two should be run together, not as separate projects. The record of processing activities (ROPA) and data-protection policies you maintain for UK GDPR become your DSPT evidence; the annual DSPT deadline gives you a natural prompt to review that documentation. If your organisation would benefit from dedicated expertise, an outsourced Data Protection Officer can hold both threads together.

It is also worth noting where security certifications fit. Schemes such as Cyber Essentials and ISO 27001 strengthen the technical and organisational measures that UK GDPR requires and that the DSPT asks you to evidence — so they support both at once. Our guide on DSPT vs ISO 27001 explores that relationship further, and the glossary explains any unfamiliar terms.

Not sure which you need?

Understanding where your legal duties end and your NHS assurance obligations begin — and making the two work together efficiently — is exactly the kind of thing we help care providers with every day. Through a clear, fixed-fee engagement we can review your current position, identify gaps and support you through both. For a friendly, no-obligation chat, get in touch.

Need a hand with this?

Book a free, no-obligation readiness check.