
















overview
Are you required by NHS Digital to provide a Data Security and Protection Toolkit (DSP Toolkit/DSPT) submission, and want assurance that yours meets the required standards? Whether you are in the Tier 1 or Tier 2 category looking to have your submission externally audited, or you want to know how to comply with the NHS DSP Toolkit requirements – DPAS are here to help.
Our DSP Toolkit Audit and Report will assess your DSPT compliance to ensure that the evidence uploaded meets the standards required. By completing an external audit, you can be assured that your organisation is not only meeting the requirements of the NHS DSP Toolkit, but you can use it to gain customer trust, enhancing your reputation and demonstrating that you are serious about protecting data. Just as crucially, it can help to raise awareness internally and promote best practices within your organisation, resulting in long-term culture changes that can benefit compliance.
Led by seasoned Information Governance experts, our independent reviews offer a new level of transparency to the Board and Trustees. We meticulously identify areas of concern and potential risks, providing a comprehensive perspective that helps you support regulatory compliance moving forward. The audit will follow the NHS DSP Toolkit Independent Assessment framework and we will produce a Board level report with an associated action plan which details the organisation’s level of compliance. We can provide:
NHS DSP toolkit (DSPT) SUPPORT
Pre-audit scoping exercise to determine what will be in scope of the audit.
A pre-audit questionnaire for you to complete, to give us a sense of your existing level of compliance.
A review of the documentation uploaded to your DSP Toolkit submission to ensure that policies, accountability documentation, procedures, and any further documents are compliant.
Virtual interviews with key personnel involved with data protection and security, to further determine the level of compliance, as well as identify any gaps or areas that need particular attention.
A high-level review of the policies, procedures and current systems, to meet the conditions of the DSP Toolkit independent assessment requirements.
A report detailing the results against each evidence required per assertion as detailed in the toolkit. This will include a risk rating against each of the standards, an overall risk rating (based on the 10 individual ratings), and an overall confidence rating.
Recommendations for remediation of risk.
You will receive expert DPO support without the overhead of hiring in-house. Whether you need an interim DPO, outsourced DPO, or specialist data protection expertise, we provide board-level guidance, compliance oversight, and practical, hands-on support tailored to your organisation.
A data breach can happen at any time. Our emergency response team is available 24/7, providing immediate guidance on breach containment, investigation, reporting, and lessons learned to protect your organisation and reputation.
High-risk processing requires a structured approach. We conduct and review DPIAs, identifying risks and providing clear mitigation strategies to keep your organisation compliant and secure.
Managing Data Subject Access Requests (SARs) and individual rights requests can be time-consuming. We handle, redact, and review requests efficiently, ensuring compliance with UK GDPR response deadlines while protecting sensitive data. You can see more about our SAR Service here.
Transferring personal data across borders requires the right safeguards. We assess your data sharing arrangements and ensure compliance with SCCs, IDTAs, and Transfer Risk Assessments. We also provide reports on international data flows and compliance status for leadership discussions.
Your compliance is only as strong as your weakest link. We conduct due diligence on your suppliers, review Data Processing Agreements (DPAs), and help mitigate risks when working with third parties. Findings can be presented at governance meetings to ensure informed decision-making.
Robust policies are the foundation of a strong data protection framework. We create, review, and update key documents, including privacy notices, RoPAs, data protection policies, retention schedules, and internal procedures, ensuring they align with ICO expectations and industry best practices. Our service ensures policies remain up to date with legal changes, tailored to your organisation’s needs, and effectively communicated to staff.
Navigating regulatory requirements can be complex. We act as your main point of contact with the ICO, handling complaints, audits, breach reporting, and regulatory inquiries, ensuring your organisation is represented professionally.
Stay ahead of compliance risks with an independent GDPR and information security audit. We can assess policies, systems, and controls, identifying gaps, risks, and improvement areas, ensuring your organisation remains compliant with data protection legislation.
You’ll have ongoing access to expert advice and support with our DPO services, whether via phone or through our dedicated ticketing system, ensuring you get real-time audited guidance whenever you need it. We will always ensure that there is cover if your dedicated DPO is on holiday or off sick.
Empower your team with expert-led GDPR, AI and data protection training. We can deliver custom training sessions, from board-level briefings to employee workshops, ensuring your staff understands their responsibilities, risks, and best practices. Read more about our training here.
Data protection isn’t just a legal requirement—it’s a business priority. We provide high-level strategic advice to leadership teams, ensuring data privacy is embedded into your wider governance and risk management strategies. Our DPOs attend monthly, quarterly, and yearly board meetings or committees to report on compliance, risk management, and project progress, ensuring senior stakeholders are informed and engaged.
AI and automation are revolutionising business—but they also introduce new risks. We ensure your AI tools comply with data protection laws, from DPIAs to supplier due diligence and governance frameworks.
As a DPAS customer, you gain exclusive access to a wealth of free resources designed to keep your organisation informed and compliant. Our expert-led webinars cover the latest data protection developments, regulatory updates, and practical compliance strategies. You’ll also receive complimentary guides, toolkits, and templates to support your internal processes. Additionally, DPAS customers get priority invitations to industry events, networking opportunities, and roundtable discussions, ensuring you stay ahead in the ever-evolving privacy landscape.
The audit ensures that the evidence provided and assertions made in the DSP Toolkit submission meet the required standards. This assures that your organisation is compliant with the necessary regulations.
The audit process is crucial in raising awareness within your organisation. It fosters a culture of data protection and promotes best practices, ensuring that your team is always informed and vigilant.
The audits are led by seasoned Information Governance experts. Their expertise ensures a thorough and meticulous review, providing unparalleled transparency to the Board and Trustees.
Completing an external audit can significantly boost customer trust. It signals to them that you prioritise data protection, thereby enhancing your organisation’s reputation in the market.
The awareness and best practices promoted by the audit can lead to long-term cultural shifts within your organisation. These shifts can greatly benefit compliance and the general approach to data protection.
The service meticulously identifies areas of concern and potential risks. This comprehensive perspective is invaluable in supporting regulatory compliance in the future.
An outsourced DPO is an external data protection expert who takes on the legal responsibilities of a Data Protection Officer for your organisation. Instead of hiring an in-house DPO, you gain access to expert GDPR support, compliance oversight, and regulatory guidance at a fraction of the cost.
Under UK GDPR and EU GDPR, you must appoint a DPO if:
– You are a public authority or body (except courts acting in a judicial capacity).
– Your core activities involve large-scale processing of special category or criminal offence data.
– You systematically monitor individuals on a large scale
We provide an emergency response service for data breaches, cyber incidents, and regulatory concerns. You can contact us 24/7 via phone or our ticketing system, and our team will guide you through containment, impact assessment, regulatory reporting, and mitigation strategies.
You will be assigned a dedicated DPO who understands your organisation, industry, and compliance needs. However, we also provide backup cover if your DPO is unavailable, ensuring you always have a fully qualified expert at your disposal.
All of our DPOs have years of experience working in privacy. They all hold various academic qualifications and at a minimum hold BCS Practitioner Certificate in Data Protection, AI for Data Protection Practitioners CPD and have Cyber Security training from the Open University.
As your appointed Data Protection Officer, we act as the main point of contact with the Information Commissioner’s Office (ICO) and other regulatory bodies. We respond to ICO inquiries, manage audits, and handle compliance investigations on your behalf, ensuring the best possible outcome.
Our pricing is based on your organisation’s size, sector, and data protection needs. We offer flexible packages, from retainer-based support to full-service DPO solutions. Prices start from as little as £400 per month. Contact us for a tailored quote based on your requirements.
Medical and Healthcare, Education and Schools, Public Sector and Local Authorities, Financial Services, Retail and Leisure, Charities and Nonprofits and many more. All of our team have specialisms in different sectors so we will ensure you are paired with the best DPO to meet your organisation’s needs.
Contact us to discuss your organisation’s needs.
We will put together a tailored proposal together based on your organisation’s requirements and the level of support you need. You are then assigned a dedicated DPO, we will send you a contract to sign and then we can get started.
Meet Our Team







Insights, Updates, & Expert Advice
Want to Find out more?
