Organisations with £20 billion combined income prioritise data governance by investing in a large-scale Data Protection Impact Assessment (DPIA)

Client Need

A group of four large organisations operating in the UK, with European and global networks, decided to significantly increase their combined personal data sharing. They responded to the macro developments of Brexit, the Covid-19 pandemic, changes to UK law and past use cases where lack of information caused inefficient service delivery and sub-optimal responses. The organisations’ expertise span infrastructure, construction, engineering, transport, security, law enforcement and science / technology research.  They wanted to develop sophisticated data analytics capabilities, big data warehousing, improved data insights, better intelligence and more strategic joint action. A range of technology solutions were selected, short-listed and prototyped including cloud services, database merging, Application Programming Interfaces (APIs) and publicly available data. The project was bespoke and highly experimental, so over time, the parameters changed because of testing, effectiveness, risks and costs. The group wanted to prioritise data quality, General Data Protection Regulation (GDPR) compliance, data retention and to ensure data security played prominent roles in the life of the project.

PrivacySolved Services and Solutions

PrivacySolved provided a senior External Data Protection Officer (eDPO) to the project who helped to develop the agreements and the GDPR Data Protection Impact Assessment (DPIA). The eDPO identified gaps, suggested improvements and challenged GDPR compliance steps, risks, technology assumptions and intended outcomes. The DPIA and agreements became rolling, flexible and iterative documents which changed with project development, changes to high-risk data processing, new technology solutions, costs and efficiencies. The process lasted for 14 months, with many rounds of changes. Our Legal and Regulatory Support services added backup support to the eDPO.  The organisations were involved at every stage and fully invested in the process; informing the DPIA as the DPIA GDPR’s analysis informed their processes. The DPIA led to the project team improving existing technical solutions and introducing new technologies to enhance data security, data minimisation, the protection of special categories of personal data and user interfaces.

Results

The group received senior expertise, insights and project support for over 1 year to:

Understand their datasets, negotiate data sharing solutions and manage data risks

Comply with UK/EU law by using an effective senior Data Protection Officer (eDPO)

Improve transparency and accountability via a live flexible high-quality updated DPIA

Meet the multi-million cost-saving targets, joint working and effective collaboration