NHS DSPT Evidence Gathering: How to Build Your Annual Submission
The DSPT self-assessment is deceptively straightforward to complete and genuinely challenging to complete well. Marking all 10 standards as "Standards Met" requires documented evidence — not just a belief that the controls are in place. Organisations that build a year-round evidence collection habit find the annual submission straightforward. Those that scramble in the final weeks before the deadline find it revealing: gaps that were assumed to be covered turn out not to be.
34% of NHS organisations achieve only "Approaching Standards" in their annual DSPT return — often due to evidence gaps rather than actual control failures.
Building Your DSPT Evidence Library
For each of the 10 data security standards, the DSPT requires specific types of evidence: Standard 1 (Personal Confidential Data) — documented data flows, Records of Processing Activity; Standard 2 (Staff Responsibilities) — signed acceptable use policies, evidence of IG inductions; Standard 3 (Training) — training completion reports showing 95% compliance; Standard 4 (Managing Data Access) — access control policy, quarterly access reviews; Standard 5 (Process Reviews) — documented business continuity plans with dates of last test; Standard 6 (Responding to Incidents) — incident log, evidence of ICO notifications where required; Standard 7 (Continuity Planning) — tested disaster recovery plan; Standard 8 (Unsupported Systems) — asset register with OS versions, remediation plan for unsupported systems; Standard 9 (IT Protection) — firewall configuration evidence, patch management logs; Standard 10 (Accountable Suppliers) — supplier register with Cyber Essentials status, contractual DPPA evidence.
Common DSPT Failure Points and How to Address Them
The most common reasons organisations fail to achieve Standards Met are: training completion below 95% (the fix is usually operational — clear accountability with line managers, regular reminders with deadline visibility, and making the training genuinely accessible); unsupported systems on the network (requires a time-bound remediation or risk acceptance plan with board sign-off); no tested business continuity plan (the test does not need to be a full-scale exercise — a documented tabletop test with recorded outcome is sufficient); and no right-to-audit clause in supplier contracts (requires a contract review programme, prioritising highest-risk suppliers). Kyanite Blue's vCISO services include DSPT readiness assessment and evidence gap remediation for healthcare organisations.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.