How can you drastically reduce the cost, overall effort and lead time of your DPIA’s (Data Protection Impact Assessments) – while increasing the quality and process efficiency?
In this article, we’ll explore how our “DPIA Risk Automation Solution” can answer to this question and explain you the method and reasoning behind it.
The Case for DPIA Automation
It is a requirement to complete the DPIA process in line with the GDPR. If you wish to avoid sanctions and administrative fines to protect your reputation within the industry, ensuring GDPR is stringently enforced.
The challenges we often see includes tremendous efforts for executing DPIA’s as a result of a scattered approach, leading to a time-consuming process, executed in a combination of for example Word Documents and SharePoint workflows.
This ‘document-heavy’ approach is a surprisingly common tactic amongst many organisations but can quickly grow unwieldy into a large amount of DPIA’s with lack of oversight and therefore being hard to follow-up.
As a result of this approach, the following issues are repeatedly observed:
- User Frustration: The business community sees the DPIA process as an inconvenience. Having to complete complex and time-consuming forms on top of their ‘day-job’ only make matters worse.
- Scattered Approach: Because the approach is loosely held together with Word documents, it soon becomes impossible to manage across the many departments involved.
- Poor Reporting:With unstructured data that is ‘locked away’ in Word documents and SharePoint folders, any reports required by senior managers/regulators rely on manually intensive data collection.
- Inconsistent Reference Data: Another problem that could impacted reporting is the lack of reference data consistency across departments. Different teams and users would make their own assumptions about data categories and data subject categories being used, indicating transfers outside of the European Economic Area (EEA),… further increasing the time delays and complexity of reporting meaningful information across the business.
- Unclear Risks and mitigations: There is no clear documentation and common understanding of the data subject risks (inherent and residual) and mitigations to be taken as a result of the DPIA. Due to this it is very hard to define these risks and hard to mitigate in a consistent manner. Here, the “DPIA Risk Automation Solution” can play a key role.
Building a DPIA Risk Automation Solution in Collibra
Our approach is to first analyse the existing documents, processes, tool, etc. and identify what can be leveraged from e.g. data governance, business process management, CMDB, project methodologies and existing data protection efforts.
By building on existing documents and approaches, we can introduce time savings and increase the buy-in – while avoiding a radical change of executing DPIA’s in your organisation.
How do we do this?
We have automated the risk definition and mitigation effort by means of our proven DPIA risk templates.
These templates allow for the DPIA questions to be customized and linked to pre-defined answers (for about 80% of the questions).
Based on these pre-defined answers, the according risks and mitigations can automatically be derived which provides the user with an immediate 80% completion of both the inherent risks, mitigations and residual risks.
Integrating the DPIA with Data Governance:
We have also created the option to integrate the DPIA with the register of processing activities. We reuse the Collibra environment – not only because of its flexibility, but because of the vast ability to reuse much of the existing metadata as input to the DPIA.
Integrating the DPIA and Register of Processing Activities into Collibra makes a lot of sense for several reasons.
Why does Integrating your DPIA with your Register of Processing Activities and a Data Governance solution make sense?
Firstly, the Collibra solution helps the DPIA process by building a ‘pulldown’ list of processes found within the organisation. This means 2 things:
- It takes seconds to find the right process information required for the DPIA
- It prevents duplicated process information or misspelt process data from being entered
Secondly, it makes it possible to automatically guide the user to update the Register of Processing Activities based on the outcome of the DPIA. In this way a win-win situation is being created where you execute DPIAs and automatically keep your register up to date.
Thirdly, you can benefit from the core Collibra functionalities, with the possibility to re-use information that is already available and documented in the Register of Processing Activities. Processing activities, data classification, data lineage, data flows, data transfers,… should all be already available in your data governance solution and can therefore be leveraged to the maximum.
Building a DPIA in Collibra: The Process
Step 1: Confirming the Workflow
First, we will model the entire DPIA workflow as required by the client.
Every client has slightly different structures and approaches to the DPIA process, so we combine our best-practices from delivering multiple DPIA initiatives, with the local requirements of the client.
We implement the DPIA workflow and RACI in Collibra and incorporate elements of the existing process with which everyone in the organisation is familiar.
Step 2: Gaining Stakeholder Buy-In
Before we go ‘full-steam’ into developing the new DPIA process, we embark on an internal ‘sales campaign’ to get senior stakeholders buy-in for our plans to building out the DPIA solution into Collibra.
Here is how we achieve buy-in:
Some stakeholders need convincing that Collibra is a better solution than the old document-based approach. To address this, we create early mock-ups of the DPIA process so senior managers and users can quickly see the value in having a more robust and automated approach.
It is essential to emphasise the distinct benefits that each department involved in the DPIA process could receive. We map out the function of each department and personalise our communication, so each group clearly understands ‘what’s in it for me’.
As we built out new mock-ups and features in Collibra, we gauge the feedback as we are moving forward, ensuring the stakeholder groups are invested in the process.
A lot of our internal ‘sales story’ revolves around showing the business how easy it is to enter and update information. By stressing the ‘ease-of-use’ factor, we make it easier for the business to contrast the ‘before and after’ benefits of adopting a Collibra-driven approach.
Step 3: Adopting an Agile Approach (if applicable)
It’s worth mentioning that, if applicable to your organisation, the Agile deployment approach can be integrated as it dovetails nicely with the need to demonstrate mock-ups and iterative feature rollout.
With each ‘end-of-Sprint’ stage, we can provide a more in-depth review of the newly created Collibra interface and DPIA functionality.
After building the end-to-end DPIA workflow in Collibra, we then overlay the DPIA roles across the end-to-end DPIA process.
Once the workflows and roles are added, we then build up the customized DPIA questions and (pre-defined) answers for each step of the workflow based on the DPIA Risk template.
Step 4: User Acceptance Testing and Sign-Off
Once the end-to-end DPIA workflow is in place, the key stakeholders (e.g. Data Protection Officer, Privacy Stewards, Legal and Risk departments) play a crucial role in testing the entire process.
We also approach business users (another key stakeholder group for the system) to validate a range of factors such as the process flow and quality of the data entry.
What is the Outcome?
You can have a modern DPIA management process by leveraging Collibra and our DPIA solution and methodology that we are providing.
In addition, the DPIA process can be integrated closely with the Register of Processing Activities, making it easier to ensure the quality and consistency of DPIA’s.
Defining the Risk and Mitigations automatically, based on the provided answers to the DPIA questions is certainly one of the biggest differentiators for clients as we often see this as a big struggle in many organisations.
Finally, DPIA staff will be united in the belief that there is no going back. Using pre-defined answers, integration with an existing Register of Processing Activities and automation of the risk and mitigations is a big step forward.
In fact, the performance improvement could be so considerable that the DPIA lead times fall from days to only hours.
What’s more, once in place, DPIA staff will have a single dashboard to manage all their DPIA, Risk Management and Processing Activities.
With all the approaches fully integrated into this unified governance ‘hub’, the Data Protection Officer can gain instant visibility into the whereabouts of high-risk data across all DPIAs so they can prioritise future initiatives.
Want to Learn How to Automate your DPIA in Collibra and How to Benefit from it?
At Data Trust Associates, we have extensive experience in helping clients from different industries implement and optimize DPIAs that comply with the GDPR requirements.
If you want to optimize and automate your DPIA process & solution, don’t hesitate to contact us for a DPIA Risk Automation Demo and a hands-on discussion on how we can help you and your team.
You can contact us via: firstname.lastname@example.org