NHS DSPT Readiness Checklist: Everything You Need Before Your Annual Submission
The DSPT annual submission deadline catches many organisations underprepared. Evidence that was assumed to exist turns out not to be documented. Training completions are 87%, not the required 95%. The business continuity plan hasn't been tested since 2021. This checklist walks through every DSPT evidence requirement across all 10 data security standards — giving you a clear picture of what you have, what you need, and what to prioritise before the 30 June deadline.
Starting your DSPT evidence review in April rather than June gives organisations a 73% higher chance of achieving Standards Met by the submission deadline.
DSPT Evidence Checklist by Standard
For each of the 10 DSPT data security standards, confirm you have the following evidence gathered and ready to upload:
- Standard 1 — Records of Processing Activity (ROPA) completed and reviewed; data flows documented; third-party data sharing agreements in place
- Standard 2 — Acceptable use policy signed by all staff; IG induction process documented for new starters
- Standard 3 — Training completion report showing 95%+ completion; record of training refreshed in current year
- Standard 4 — Access control policy; evidence of regular access reviews; no shared accounts documented
- Standard 5 — Business continuity plan dated and tested; process review records for last 12 months
- Standard 6 — Incident log; evidence of ICO notifications for any reportable breaches; near-miss records
- Standard 7 — Disaster recovery plan including IT recovery; evidence of test exercise in last 12 months
- Standard 8 — Asset register with OS versions; remediation plan or risk acceptance for any unsupported systems
- Standard 9 — Firewall configuration evidence; patch management logs; malware protection evidence; MFA implementation evidence
- Standard 10 — Supplier register with Cyber Essentials status; signed DPAs for all data processors; contract review schedule
Common DSPT Evidence Gaps and Quick Fixes
The most common DSPT evidence gaps identified in the final weeks before submission are: training completion below 95% (set up automated reminders via your learning management system and give line managers personal accountability for their team's completion); no documented business continuity test (a 1-hour tabletop exercise with notes counts — schedule it immediately); unsupported systems with no plan (document a time-bound upgrade plan with budget allocated, or a compensating control risk acceptance signed by the board); and supplier contracts without DPAs (use the NHS standard DPPA template and request countersigned copies from your highest-risk suppliers). Kyanite Blue can assist with DSPT evidence review and gap remediation on an accelerated timeline.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.