Digital DPIA (Data Protection Impact Assessment)
This collaborative project is co-designing and developing a digital approach to Data Protection Impact Assessments, fundamental on many levels not only to the handling of personal data, but also to manage organisational risk and underpin project success.
A Data Protection Impact Assessment (DPIA) is an important to tool to ensure compliance with the General Data Protection Regulation (GDPR). Whilst a legal requirement in case of “High Risk” processing, many Data Controllers undertake a DPIA for any new data sharing and data processing operations and projects.
The current DPIA status quo is often a lengthy, paper-based, complicated, inefficient and non-standardised process. Lacking the benefit of smart working practices, DPOs and IG professionals across the country can all see the benefits a digital approach will bring.
Working with leading public sector solution designers, Looking Local, in collaboration with 12 public sector bodies from across local government, health, education – with engagement from the ICO, NHSX, IRMS and Information Sharing Gateway – this project will shape the future of the DPIA process.
The resulting co-designed solution will deliver a cloud based platform which will assess if there is a need for a DPIA to be completed, provide a standardised approach to the data capture and the ability to allocate tasks to various user roles to ensure timely, quality completion and sign off of a DPIA.
By developing a guided, accessible and national platform, it will be possible to equip individual service departments with the tools they need to assume responsibility for their own DPIA needs thus both upskilling and spreading the burden of completing DPIAs, as well as enabling collaborative, multi-partner DPIA management.
CONFIRMED CURRENT CO-FUNDERS
Following an all partner discovery workshop and one-to-one sessions with each of the partners, the Digital DPIA Discovery Report is now complete and available to share.
Technical partners Looking Local completed a rigorous discovery process and have prioritised key elements of a digital approach:
- Cloud-based solution enabling multi-agency collaboration
- Plain, jargon-free language
- Simple DPIA screening tool
- Standardised DPIA forms
- Cloning functionality
- Searchable library of completed DPIAs
- Automated review triggers (and more)
To request a copy of the discovery report, please contact us.
CO-DESIGN & DEVELOPMENT
Development is now underway. Looking Local operates agile product development principles. Following the release of a light prototype, feedback from the co-designing partners will be invited on every major release. Partners will be actively encouraged to test each iteration with real end users so that we can achieve real user-centred design.
Nineteen work packages have been identified for the development and delivery of the digital DPIA. The order in which the work packages are tackled will be determined by the collaborating organisations. Due to the agile nature of this project it’s possible that these work packages will change as the project progresses in line with the shifting priorities of the group.
WP1 – Standardisation of data requirements for various DPIA templates
WP2 – Role-based access to the platform
WP3 – Ability to assign DPIA to different users including sign-off processes for IAOs
WP4 – Workflow: Developing a series of states that a DPIA can move through
WP5 – Digital DPIA screening tool
WP6 – User-centred, accessible design approach to data capture
WP7 – Content development: Advice and guidance for non-Information Governance (IG) staff
WP9 – Document upload and attachments
WP10 – Risk generation underpinned by logic model
WP13 – Develop specific types of assessments (DPIA ‘lite’ or CCTV)
WP15 – User Testing
WP8 – Dashboard and data reporting
WP11 – Automated review triggers: Triggers to prompt review, amendments, extensions and archive
WP12 – Interoperability with third-party systems (ISG & ICO access)
WP14 – Training
WP16 – Business development and product marketing
WP17 – Glossary of terms/roles/system
WP18 – Searchable library
WP19 – Information asset register
BENEFITS & BUSINESS CASE
All the parties involved are passionate about this project and about the benefits a digital DPIA tool will deliver. These are some of the benefits we have identified to date:
- Embed a ‘Data Protection By Design and Default’ project approach
- Accessible to the wider business both nationally and internationally
- Saves time and delivers efficiencies
- Legal compliance as set out by Privacy legislation
- Engaging IG from the outset
- Robust management of risk
- Demonstrable accountability
In an earlier GMCA led discovery and alpha phase project, the ‘as-is’, and potential ‘to-be’ process (supported by a Digital DPIA tool) was examined in detail. It was estimated that there could be savings of around 50 hours in terms of the effort it takes all parties to complete one DPIA; a percentage saving of around 65%.
With the change in legislation and the legal requirement the GDPR brings to conduct a DPIA when processing presents a significant risk to a person’s personal data, we know the number of DPIAs conducted by organisations is only going to rise. With the penalties that could be faced for organisations who fall foul of the GDPR, we project that DPIAs will become the norm for all data processing activities, not just when it is legally necessary and this ensures an organisation can demonstrate a ‘privacy by design’ approach.
During this programme of work, we shall be looking in more detail at the savings and business case to move to a digital approach.
Any questions about this project or to request the Digital DPIA Discovery report, please drop us a line at firstname.lastname@example.org