Greater Manchester Combined Authority

Greater Manchester Combined Authority

Dapian – DPIA’s Simplified


Briefly describe the initiative/ project/service; please include your aims and objectives

The Dapian project brought together a collective of Local Authorities, Health, Academia, Public Bodies and private organisations, who all recognised the need and potential for a public sector focused, Digital Data Protection Impact Assessment (DPIA) solution. The project’s aim was to increase the numbers of DPIA’s being completed and decrease the timescales it takes to construct them, thus generating efficiencies and ensuring compliance. DPIA’s are a mandatory part of the General Data Protection Regulations (GDPR) which ensures an organisation assesses and evidences how they comply with their data protection obligations.

Wherever personal data is being used, a DPIA should be completed prior to any new services or projects progressing. The challenge is that staff often see this DPIA step as a barrier to progress and they are fearful of the complexity in the process. This results in staff members leaning heavily on a small subject matter expert team within the organisation, who are struggling to keep up with the demand. This can introduce delays into the process. The completion of a DPIA requires input from multiple sources, some of those may be external to the organisation. This results in lengthy completion times when relying on paper/Word documents being emailed around. The fall out of all of this is that DPIA’s are not being completed at the right time, assessment quality is poor, projects are processing without a DPIA in place and personal data is being used (and potentially being put at risk) without the proper processes being followed. The need for a product to facilitate the production of DPIA’s was felt hard when COVID-19 hit. Public sector had to coordinate their response and direct it at those who needed it fast. Identifying vulnerable individuals was a multi organisation task. It required the public sector and voluntary sector to share data sets which contained personal information of the most sensitive kind. None of that was possible without the completion of a well considered DPIA.

The project’s objective was to empower the wider organisation to take responsibility for their own DPIAs, thus reducing the bottle neck and increasing the number of DPIA’s which are being completed at the right time. A key focus of the project was to simplify the process of completing DPIA’s and remove the complex language being used in the forms. The resulting product (Dapian) hand holds non experts through the process of completing a DPIA start to finish, in a user friendly fashion, using plain English guidance. Dapian leads staff through a triage tool, which tells them if they need to complete a DPIA, what type of DPIA they should complete and allows them to go on to produce their DPIA in a collaborative fashion. Staff are able to invite input and support from Information Governance (IG) experts where needed. The tool also allows third parties, partners & suppliers to play their role in the process. By standardising the data capture it is possible to surface a library of DPIA’s completed by other organisations for non experts to find examples to take a steer from. Building on the GMCA’s Alpha project (nominated in 2019), the project developed the Dapian solution and launched it to the market in October 2020. CC2i were crucial in bringing together the co-fund partners who financed the project and key strategic partners who supported the initiative.

The team was comprised of:

Innovation Lead:
– CC2i
– Technical Lead:
– LookingLocal
– Commercial & sustainability Lead:
– Coalescent

Co-fund Partners:
– LOTI (London Office of Technology and Innovation)
– University of Nottingham
– Cheshire and Merseyside Health and Care Partnership
– Leeds City Council
– Norfolk County Council
– Strategic Partners:
– ActNow Training
– NHS Digital
– Information Records Management System (IRMS)
– Information Commissioner’s Office (ICO)

LookingLocal engaged with the collaborative partners who represented Local Government, Academia, Health, Regulatory body and a national training provider to develop a tool that was user centric and informed by industry experts, with a tailored approach to the public sector. The key to success was that the solution was tested with non experts at each major release step. This enabled adoption across the organisation and the system to deliver cross cutting sector benefits.

What are the key achievements?

The collaboration itself was a real achievement. Bringing together a group of partners who represented the different areas of Local Government, Academia, Health both regional and national, a training provider and the regulatory authority, created a fantastic team with a range of knowledge and requirements. The differences each organisation brought to the table put the development in good stead from the off. If we could solve the challenges for this diverse group of organisations, it’s probable that the resulting solution would suit many multiples of other organisations. CC2i with support from the GMCA and LookingLocal did a lot of engagement work to bring in these partners together. CC2i broadcast the projects progress far and wide and ran webinars to share the projects’ learning. LookingLocal maximised the collective expertise to inform the development of the solution. Each organisation brought end user groups to the table to provide plenty of opportunity for user-centred design, testing and feedback cycles.

The result of the project is Dapian – a digital solution to Data Protection Impact Assessments which has been developed and launched to the market. Dapian takes the fear and complexity out of DPIAs, uses plain English guidance and support and empowers users to go on to complete quality assessments. The project has evidenced that a 65% saving can be achieved by using Dapian as a digital solution, which ultimately leads to more quality DPIA’s being completed. Dapian has a roadmap for future developments. The product which has been launched is the minimal marketable product and soon, we will see more functionality being added. The next focus for the project group is to implement an automated risk identification tool which will proactively suggest appropriate mitigations for the risk posed. Whilst the project has now concluded, the project team remain engaged as a functional user group to continue to help shape and prioritise the requirements, and ensure that the Dapian team can continue to access the industry insights that they need to drive Dapian forward to become an industry leader in this space.

What are the key learning points?

A very positive learning point is the importance of having a range of organisations and expertise contributing to a solution which has the ambition of being a multi-organisation tool which meets the needs of a range of users. Having this representation on the project and also engaging with the regulatory body legitimises the project and adds validity to the need to solve the problem with data protection impact assessments.

By taking a national approach to standardising the data capture and product features it meant that:
– It was possible to share DPIA’s between organisations to aid non experts in completing their own assessments
-The product is sustainable in the long term because development costs and on-going maintenance costs are decreased. multiple organisations across the UK (potentially Europe in the future) can sign up to the product for low subscription costs.
– The product has a large pool of experts to call upon as the product evolves and share new best practise with.

In this project we had Coalescent whose role it was to ensure its sustainability through commercial success. Far too often projects are launched without any consideration about how it will be sustainable long term. Coalescent brings the expertise to ensure the product can continue to evolve and be maintained long beyond the duration of the project. Coalescent has already been successful in signing up 14 organisations to use the Dapian product and has a business plan to see 35 sign ups by the end of July 2021. It is through these new customer subscriptions that the product will remain viable and continue to evolve over the coming years.

Additional Comments

It was fantastic to be shortlisted for this award last year. The work of that project, the incredible feedback we received and the support of organisations such as iNetwork gave us the launching pad to move forward with the next phase of the project which has resulted in the Dapian product. These awards provide us with a great opportunity to share this story with the iNetwork members and it is always such a positive experience to enter into these awards alongside the other candidates.

COVID-19 Response Recognition Award

COVID-19 hit the public sector by surprise. Suddenly Local authorities and Health organisations had to coordinate and deliver support to people they have never had to, or were even aware of before. Identifying who needed support and what type of support they needed, required multiple data sets from health, social care, benefits and council tax (as well as others from the voluntary sector). No one could argue that the need to overlay these data sets was critical to identify those in need of support but these data sets contained personal data of the most sensitive type and so proper process still needed to be followed. Completing traditional DPIA’s on these activities introduced delays and vulnerable people were at risk in the meantime. The Dapian project was accelerated and brought forward for this very reason. Dapian would provide a platform for multiple organisations working together on this combined effort to get their DPIA’s done faster, by a wider net of people and in a collaborative fashion. Ultimately this means that the public and voluntary sectors can mobilise faster and ensure compliance at the same time.