Digital DPIA (Data Protection Impact Assessment)
Develop a digital Data Protection Impact Assessment platform that will be fundamental to an organisation’s ‘privacy by design’ approach and improve collaboration with partners – unlocking DPIA’s from their organisational silos.
You have the opportunity to co-design an assessment platform and shape data standards which will address the fundamental issues we experience with Data Protection Impact Assessments.
Working with our development partners Looking Local we are proposing to build a digital platform which will assess if there is a need for a DPIA to be completed, provide a standardised approach to the data capture of a DPIA assessment and the ability to allocate tasks to various user roles within the platform to ensure timely quality completion and sign off of a DPIA. By developing a guided, accessible and national platform, it will be possible to equip individual service departments with the tools they need to assume responsibility for their own DPIA needs thus spreading the burden of completing DPIAs.
Crucially, we want to work in a cross-sector collaboration with key partners to develop a product which is fit for purpose for multiple organisations across Local Authorities, CCGs, NHS, Universities, Housing Associations etc and ensures a national approach to the data requirements which avoids organisational silos. We want your input to help shape the requirements for this, to keep the users central to our development and to overcome the challenges a unified approach can bring.
We are passionate about this project and about the benefits a tool like this will deliver. These are some of the benefits we have identified:
- Embed a ‘privacy by design’ project approach
- Accessible to the wider business
- Saves time and delivers efficiencies
- Legal compliance as set out by Privacy legislation
- Engaging IG from the outset
- Robust management of risk
- Demonstrable accountability
But we are sure that there are more, and we want you to join with us to develop a DPIA tool that unlocks all of this potential.
This opportunity is unique. So often we wait for the right solution to come to us, but if you join with us on this journey, we no longer need to wait, we will shape and deliver the solution together and it will be the right solution for our Data Protection needs.
HEADLINE BUSINESS CASE
We know from experience that Data Protection Impact Assessment processes are often inefficient, laborious and ineffective. By addressing these issues with a consistent, user-friendly and modern tool, we will bring organisation benefits by saving on wasted time and energy, and adding value through effective risk management.
In a GMCA led discovery and alpha phase project, the ‘as-is’, and potential ‘to-be’ process (supported by a Digital DPIA tool) was examined in detail. It was estimated that there could be savings of around 50 hours in terms of the effort it takes all parties to complete one DPIA; a percentage saving of around 65%.
We applied this to the number of DPIAs GMCA conducted in a 12 month period (30 in 2018-2019) and calculated savings of approximately £31,000. Every organisation undertakes a different number of DPIAs a year, we have spoken to county councils and their figures are nearer 60 a year; so the savings could be significant.
With the change in legislation and the legal requirement the GDPR brings to conduct a DPIA when processing presents a significant risk to a person’s personal data, we know the number of DPIAs conducted by organisations is only going to rise. With the penalties that could be faced for organisations who fall foul of the GDPR, we project that DPIAs will become the norm for all data processing activities, not just when it is legally necessary and this ensures an organisation can demonstrate a ‘privacy by design’ approach.
Therefore, the potential savings a Digital DPIA tool can bring, we project, will continue to rise. The sooner we can implement a more efficient process, the sooner project and Information Governance (IG) professionals can move away from the time unnecessarily lost on these activities and will allow them to focus on the work that truly delivers value to their organisation.
The Digital DPIA will be a fundamental tool in an organisations framework for information governance compliance.
The breakdown below defines what we initially see as being the order of priority of the requirements for this product, and how we see the roadmap evolving. The order of priority is likely to change multiple times throughout the project as directed by the participating organisations. Some of these work packages may be undertaken in parallel with others and some will have inter-dependencies.
In order to begin working through the list of priorities GMCA and their development partner Looking Local are looking for 8 other public sector organisations from Local Authorities, CCGs, NHS, Universities, Housing Associations etc who are actively interested in contributing subject matter resources (on average 1 day per month) and funds to steer the development of a new Digital Data Protection Impact Assessment tool.
We are looking for 8 organisations to contribute £20,000 each. However, each organisation will get that £20,000 rebated to them over 4 years (£5000 per annum) set against the annual license fees for the service. In other words, participation in this project will be cost neutral. All partners involved will input into the pricing of this service to ensure it is fair & reasonable and based on a proven business case.
Work will commence in January/February 2020 and run for around 6 months.
Looking Local Ltd
The appropriate handling of personal data is the responsibility of all individuals in an organisation. The current privacy legislation, the Data Protection Act 2018 and the General Data Protection Regulation have made an effective best practice mechanism, the ‘Data Protection Impact Assessment (DPIA)’ and made it a legal requirement in some instances of processing.
The Data Protection Impact Assessment is an extremely useful organisational tool and the benefits that can be derived from undertaking an assessment are far organisation-wide including the initial risks to the project but can be scaled to managing organisational risk and provide an insight into resourcing requirements.
In December 2018, the GMCA was successful in a bid to secure funding from the Ministry of Housing, Communities and Local Government Local Digital Fund for the Digital Data Protection Impact Assessment Alpha project. The bid outlined the challenges faced around current paper-based practices with regards to undertaking a DPIA and detailed how the creation of a universal and compliant digital tool could support and empower staff.
This project delivered a prototype Digital Data Protection Impact Assessment tool which begins to demonstrate the value a tool such as this can deliver. Focussed on the non-IG professional users who would be completing the assessment in the tool and this lead to prototyping functionality that coaches a user through the completion and really hones in on the usability of
A prototype tool was developed but it is not the finished article and therefore there is still great scope for a collaboration to influence the next phase. We want to work with partners from health, housing, blue light and local government to shape the tool that enables cross-sector working and ensures priorities from all sectors are addressed. The Information Commissioner’s
Office has been fully supportive of the DPIA prototype and has committed to be a key member of the project team going forward.
The full discovery report can be seen here.