Digital DPIA (Data Protection Impact Assessment)
This collaborative project co-designed and developed a digital approach to Data Protection Impact Assessments, fundamental on many levels not only to the handling of personal data, but also to manage organisational risk and underpin project success.
The resulting solution ‘Dapian’ is now available to deploy and you can find out more about the solution and business case here.
A Data Protection Impact Assessment (DPIA) is an important to tool to ensure compliance with the General Data Protection Regulation (GDPR). Whilst a legal requirement in case of “High Risk” processing, many Data Controllers undertake a DPIA for any new data sharing and data processing operations and projects.
The current DPIA status quo is often a lengthy, paper-based, complicated, inefficient and non-standardised process. Lacking the benefit of smart working practices, DPOs and IG professionals across the country can all see the benefits a digital approach will bring.
Working with leading public sector solution designers, Looking Local, in collaboration with 12 public sector bodies from across local government, health, education – with engagement from the ICO, NHSX, IRMS and Information Sharing Gateway – this project will shape the future of the DPIA process.
The resulting co-designed solution will deliver a cloud based platform which will assess if there is a need for a DPIA to be completed, provide a standardised approach to the data capture and the ability to allocate tasks to various user roles to ensure timely, quality completion and sign off of a DPIA.
By developing a guided, accessible and national platform, it will be possible to equip individual service departments with the tools they need to assume responsibility for their own DPIA needs thus both upskilling and spreading the burden of completing DPIAs, as well as enabling collaborative, multi-partner DPIA management.
Following an all partner discovery workshop and one-to-one sessions with each of the partners, the Digital DPIA Discovery Report is now complete and available to share.
Technical partners Looking Local completed a rigorous discovery process and have prioritised key elements of a digital approach:
- Cloud-based solution enabling multi-agency collaboration
- Plain, jargon-free language
- Simple DPIA screening tool
- Standardised DPIA forms
- Cloning functionality
- Searchable library of completed DPIAs
- Automated review triggers (and more)
To request a copy of the discovery report, please contact us.
CO-DESIGN & DEVELOPMENT
Development is now complete. During development Looking Local followed agile product development principles. Following the release of a light prototype, feedback from the co-designing partners was invited on every major release. Partners were actively encouraged to test each iteration with real end users to achieve real user-centred design.
Nineteen work packages were identified for the development and delivery of the digital DPIA solution. The order in which the work packages have been tackled was determined by the collaborating organisations, in line with the shifting priorities of the group.
BENEFITS & BUSINESS CASE
All the parties involved are passionate about this project and about the benefits a digital DPIA tool will deliver. These are some of the benefits we have identified to date:
- Embed a ‘Data Protection By Design and Default’ project approach
- Accessible to the wider business both nationally and internationally
- Saves time and delivers efficiencies
- Legal compliance as set out by Privacy legislation
- Engaging IG from the outset
- Robust management of risk
- Demonstrable accountability
In an earlier GMCA led discovery and alpha phase project, the ‘as-is’, and potential ‘to-be’ process (supported by a Digital DPIA tool) was examined in detail. It was estimated that there could be savings of around 50 hours in terms of the effort it takes all parties to complete one DPIA; a percentage saving of around 65%.
With the change in legislation and the legal requirement the GDPR brings to conduct a DPIA when processing presents a significant risk to a person’s personal data, we know the number of DPIAs conducted by organisations is only going to rise. With the penalties that could be faced for organisations who fall foul of the GDPR, we project that DPIAs will become the norm for all data processing activities, not just when it is legally necessary and this ensures an organisation can demonstrate a ‘privacy by design’ approach.
During this programme of work, we shall be looking in more detail at the savings and business case to move to a digital approach.
Any questions about this project or to request the Digital DPIA Discovery report, please drop us a line at firstname.lastname@example.org