Demystifying DSPT

The NHS Data Security and Protection Toolkit (DSPT) is one of the core tenets of DTAC and is therefore mandatory for those looking to sell to the NHS. It’s through conformance with DSPT that you can demonstrate robust security and data protection practices whilst creating a strong foundation for continual improvement in these areas. In a nutshell, being compliant with the DSPT requirements sets you up for compliance success in the short, medium and long-term. Not just because there is overlap with global standards such as ISO 27001, but because compliance here will help you avoid the awfully common (and innovation-stunting!) compliance debt.

‍

Foundations of DSPT

Because DSPT is designed to make you compliant with multiple data security requirements, it goes hand in hand with Cyber Essentials (Acorn Compliance Cyber Essentials Guide). And by completing DSPT, you will have covered some of the aspects of Cyber Essentials too, e.g. the DSPT requires you to have data handling and device protection policies in place which can be called on for your Cyber Essentials evidence.

Completing DSPT will also mean you’re aligned to the 2018 General Data Protection Regulation. DSPT is a contractual requirement for social/healthcare providers, i.e. anyone who handles NHS patient data, and third party vendors who provide other items to the NHS such as SaaS solutions or physical products used in NHS sites.

For innovators, DSPT can also help engender patient trust in your app and organisation reputation as it shows a commitment to data security to both stakeholders and patients. It contains specific sections on how to mitigate harm to patients if there is a data breach. Through conformance with the DSPT, organisations learn how to reduce the amount of sensitive data being held and to create an emergency plan for how to respond to a theoretical data breach so that the impact of any such incident can be minimised.

‍

Maintaining DSPT Compliance

DSPT must be reviewed each and every year, and the standard itself has been known to go through multiple iterations each year.  Through continuous evaluation against the DSPT, you will ensure your data protection and security practices are relevant when considering the current level of threat from things like ransomware, phishing and other kinds of cyber attack.

Falling behind on conformance once you’ve won NHS contracts is likely to mean you’ll be in breach of your contract with the NHS as you will no longer be DTAC compliant. This can put your contracts, income, and strategy in danger. Therefore, it should be a top priority to continuously monitor your security posture and conformance with the latest DSPT questions set.

‍

Get help with DSPT

Whilst the DTAC Squirrel™ makes DSPT a breeze, the DIY approach will take you time as there are over 70 questions to answer (not all mandatory) to prove your security posture.

Our advice for innovators is to focus your efforts on conformance with the mandatory questions first. This is because, being able to answer the mandatory questions affirmatively will prove you have a robust base and practices for protecting the data you’re processing. 

Breaking down DSPT into bite sized pieces can make it far less daunting. Now, the DTAC Squirrel™ AI can accelerate your path to compliance by streamlining the process into smaller, more manageable tasks and will assist you in maintaining DSPT and DTAC compliance as your organisation and product evolve!

If you’d like to know more about how the DTAC Squirrel™ can help, watch a demo here or book a discovery call. And some even better news!, If you’re a non-funded innovator with up to 3 staff and are pre-revenue, you can benefit from our pay monthly Squirrel™ Starter Plan.

‍