Digital DPIA (Data Protection Impact Assessment)
Develop a digital Data Protection Impact Assessment platform that will be fundamental to an organisation’s ‘privacy by design’ approach and improve collaboration with partners – unlocking DPIA’s from their organisational silos.
A Data Protection Impact Assessment (DPIA) is an important to tool to ensure compliance with the General Data Protection Regulation (GDPR). Whilst a legal requirement in case of “High Risk” processing most Data Controllers will do a DPIA for any new data sharing and data processing operations and projects.
In this innovative project you have an excellent opportunity to shape the future of DPIAs. You will be involved with helping to co-design an online DPIA assessment platform and shape data standards which will address the fundamental issues Data Controllers face when conducting DPIAs.
Working with our development partners, Looking Local, we are proposing to build a digital platform which will assess if there is a need for a DPIA to be completed, provide a standardised approach to the data capture of a DPIA assessment and the ability to allocate tasks to various user roles within the platform to ensure timely quality completion and sign off of a DPIA. By developing a guided, accessible and national platform, it will be possible to equip individual service departments with the tools they need to assume responsibility for their own DPIA needs thus spreading the burden of completing DPIAs.
Crucially, we’ll be working with key partners including NHSX, the Information and Records Management Society and Act Now Training to develop a product which is fit for purpose for multiple organisations. The cross-sector collaboration will include Local Authorities, CCGs, NHS, Universities, Housing Associations et al to ensure a national approach to the data requirements which avoids organisational silos. We want your input to help shape the requirements for this, to keep the users central to our development and to overcome the challenges a unified approach can bring.
We are passionate about this project and about the benefits a tool like this will deliver. These are some of the benefits we have identified:
- Embed a ‘Data Protection By Design and Default’ project approach
- Accessible to the wider business both nationally and internationally
- Saves time and delivers efficiencies
- Legal compliance as set out by Privacy legislation
- Engaging IG from the outset
- Robust management of risk
- Demonstrable accountability
But we are sure that there are more, and we want you to join with us to develop a DPIA tool that unlocks all of this potential.
This opportunity is unique and has the potential to become a market leader nationally and internationally. So often we wait for the right solution to come to us, but if you join with us on this journey, we no longer need to wait, we will shape and deliver the solution together and it will be the right solution for our Data Protection needs.
HEADLINE BUSINESS CASE
We know from experience that Data Protection Impact Assessment processes are often inefficient, laborious and ineffective. By addressing these issues with a consistent, user-friendly and modern tool, we will bring organisation benefits by saving on wasted time and energy, and adding value through effective risk management.
In a GMCA led discovery and alpha phase project, the ‘as-is’, and potential ‘to-be’ process (supported by a Digital DPIA tool) was examined in detail. It was estimated that there could be savings of around 50 hours in terms of the effort it takes all parties to complete one DPIA; a percentage saving of around 65%.
We applied this to the number of DPIAs GMCA conducted in a 12 month period (30 in 2018-2019) and calculated savings of approximately £31,000. Every organisation undertakes a different number of DPIAs a year, we have spoken to county councils and their figures are nearer 60 a year; so the savings could be significant.
With the change in legislation and the legal requirement the GDPR brings to conduct a DPIA when processing presents a significant risk to a person’s personal data, we know the number of DPIAs conducted by organisations is only going to rise. With the penalties that could be faced for organisations who fall foul of the GDPR, we project that DPIAs will become the norm for all data processing activities, not just when it is legally necessary and this ensures an organisation can demonstrate a ‘privacy by design’ approach.
Therefore, the potential savings a Digital DPIA tool can bring, we project, will continue to rise. The sooner we can implement a more efficient process, the sooner project and Information Governance (IG) professionals can move away from the time unnecessarily lost on these activities and will allow them to focus on the work that truly delivers value to their organisation.
The Digital DPIA will be a fundamental tool in an organisations framework for information governance compliance.
The breakdown below defines what we initially see as being the order of priority of the requirements for this product, and how we see the roadmap evolving. The order of priority is likely to change multiple times throughout the project as directed by the participating organisations. Some of these work packages may be undertaken in parallel with others and some will have inter-dependencies.
In order to begin working through the list of priorities GMCA and their development partner Looking Local are looking for 6-8 other public sector organisations from Local Authorities, CCGs, NHS, Universities, Housing Associations etc who are actively interested in contributing subject matter resources (on average 1 day per month) and funds to steer the development of a new Digital Data Protection Impact Assessment tool.
We are looking for up to 8 organisations (minimum 6) to contribute £20k each as a ‘one off’ capital investment in the project. In return for this co-funding partners will get an unlimited license to reuse the resulting product ‘ad infinitum’ – with no ongoing costs for maintenance and support. The aim here is to better reward financial contributors, as well as the time/effort they put in to helping shape the solution. Ongoing development and maintenance of the product will be underwritten through the reselling of the product to other organisations around the country.
We expect work to commence in April 2020 and run for around 6 months.
Looking Local Ltd
The appropriate handling of personal data is the responsibility of all individuals in an organisation. The current privacy legislation, the Data Protection Act 2018 and the General Data Protection Regulation have made an effective best practice mechanism, the ‘Data Protection Impact Assessment (DPIA)’ and made it a legal requirement in some instances of processing.
The Data Protection Impact Assessment is an extremely useful organisational tool and the benefits that can be derived from undertaking an assessment are far organisation-wide including the initial risks to the project but can be scaled to managing organisational risk and provide an insight into resourcing requirements.
In December 2018, the GMCA was successful in a bid to secure funding from the Ministry of Housing, Communities and Local Government Local Digital Fund for the Digital Data Protection Impact Assessment Alpha project. The bid outlined the challenges faced around current paper-based practices with regards to undertaking a DPIA and detailed how the creation of a universal and compliant digital tool could support and empower staff.
This project delivered a prototype Digital Data Protection Impact Assessment tool which begins to demonstrate the value a tool such as this can deliver. Focussed on the non-IG professional users who would be completing the assessment in the tool and this lead to prototyping functionality that coaches a user through the completion and really hones in on the usability of
A prototype tool was developed but it is not the finished article and therefore there is still great scope for a collaboration to influence the next phase. We want to work with partners from health, housing, blue light and local government to shape the tool that enables cross-sector working and ensures priorities from all sectors are addressed. The Information Commissioner’s
Office has been fully supportive of the DPIA prototype and has committed to be a key member of the project team going forward.
The full discovery report can be seen here and you can also request a recording of our webinar which took place on 12th February discussing the project in more detail.