The General Data Protection Regulation (GDPR) requires that organisations carry outData Protection Impact Assessments (DPIA or PIA) prior to starting a likely risky processing operation. The PIA tool is a free and open source software tool, available as a standalone and “server” version. It helps organisations to conduct PIAs by guiding them through the process step-by-step, and thus to demonstrate compliance with the GDPR.
The GDPR became applicable in May 2018. While increasing the general awareness on data protection and privacy issues, it also places new regulatory pressure on organisations processing personal data. Organisations are now required to carry out Data Protection Impact Assessments (DPIA or PIA) before starting processing operations likely to result in a high risk on the individual.
Since carrying out a PIA is a complex matter, the CNIL has developed guidance and a software tool to help public and private organisations.
The PIA tool is part of a global PIA initiative developed by CNIL. It includes (https://www.cnil.fr/en/cnil-publishes-update-its-pia-guides) :
- a PIA method, models and a code of practice, published in 3 guides which are based on the regulation and leading practices (https://www.cnil.fr/en/PIA-privacy-impact-assessment-en);
- frameworks adapting the method to specific business activity context (such as internet of things: https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-piaf-connectedobjects-en.pdf) and giving specific guidance;
- case studies providing practical examples rolling out the method (https://www.cnil.fr/sites/default/files/atoms/files/cnil-pia-captoo-fr.pdf);
- a software tool to carry out PIAs by unfolding the method step-by-step and which includes the aforementioned materials by providing contextual information, and by including the use cases as examples in the tool (https://www.cnil.fr/en/open-source-pia-software-helps-carry-out-data-protection-impact-assesment).
Within this global offer on PIA, the software tool’s development process has also followed an innovative approach. It was based on a design thinking methodology, involving potential users in the making process through several discussion and testing sessions. From those have arisen the following three principles: a step-by-step approach to PIA, contextual content and modularity & openness.
Indeed, the tool unfolds progressively the PIA method developed by the CNIL. It allows the user to easily understand the method, the regulatory requirements, and the leading practices. To do so, the tool relies on a user-friendly interface that allows to simply carry out PIA as well as easily manage them. This step-by-step approach is completed with several visualisation tools that offer ways to quickly understand the risks associated with the data processing.
Additionally, the tool’s content takes into account the whole regulatory framework as well as norms and best practices set out by standards bodies widely used in organisations. Thus, the tool includes the legal points ensuring the lawfulness of processing and the rights of the data subjects as well as technical and organisational measures to manage and reduce the risks on the data processing.
All this rich information is presented through a contextual knowledge base, available along all the steps of the PIA, which delivers the aforementioned information according to the aspect of the processing studied.
Finally, we adopted a highly modular and open approach to the development of the tool. Since organisations have specific needs depending on their sector of activity, we decided to make the tool as customisable as possible. Therefore, the source code is published under a free licence, allowing for anyone to modify the tool and its features, for easier integration in the information systems of various organisations.
The tool was first released in November 2017, in French and English. Other language versions were submitted by the community and it is now available in 14 languages. The PIA software was downloaded 70 000 times in the first 6 months after it was released. The tool has been widely adopted by the data protection community and used by many organisations, ranging from global corporations to public bodies such as hospitals or local administrations.
What Makes Your Project Innovative?
The PIA software is the first project of its kind within the CNIL and within the community of data protection regulators. It complements and provides a useful toolkit for the PIA guides previously published by the CNIL. The PIA software has been considered as a product since it was first imagined and designed, which is a real novelty for a regulatory institution. Not only did it rely on design thinking and co-design practices to shape software developments, it has been also fully managed in an agile way to allow more flexibility and responsiveness in its different releases, in order to evolve based on user feedback.
Publishing the tool as an open source software has also been a new approach tested by the CNIL and has also exposed us to new models of project governance through the Github platform we use to publish the source code. Indeed, it has allowed to experiment with direct contributions to a CNIL’s product, asking us to create ways to evaluate and accept quickly those inputs.
What is the current status of your innovation?
The project is at the end of its implementation phase and we will soon start the evaluation phase. It has been released in November 2017 in a beta version in order quickly adapt the development planning to the users’ feedback. The final version of the tool should be released in October 2018 ; the next step will be an evaluation phase where we will measure our users overall satisfaction with the tool and assess precisely the whole process internally in order to produce sets of guidelines for future projects of the same nature, potentially to be shared with other public institutions.
Collaborations & Partnerships
Following a collaborative design approach, our users have been key partners in the tool’s development. Their feedback (600 emails commenting on the tool) has provided useful input and material to inform design decisions about the tool. Other key collaborators are Github contributors. With their contributions (80 issues opened), they have actively improved the tool. For example, they’ve helped to translate the interface in 12 more languages, improved its documentation and the code quality.
Users, Stakeholders & Beneficiaries
Our users come from the public and private sectors (small to medium businesses, multi-national corporations, municipalities, hospitals, government’s ministries...) worldwide, as well as a broad range of roles (Data Protection Officer, Chief Information Officer, Project Manager...).
Data Protection Authorities across the world are key stakeholders as they benefit directly from the tool and are increasingly involved in its development.
Results, Outcomes & Impacts
The initiative has been largely welcomed by organisations, thanking the CNIL for providing a practical tool to help them build their compliance. Six months after it was released, the tool had been downloaded 70 000 times. Since it is open-source, the tool has successfully fostered an active international community around the PIA topic. Through its contribution, especially the translation of the tool in more of 14 languages, it encourages global adoption of the GDPR and of PIAs.
In addition, the project has enabled a new kind of collaboration between data protection authorities, going beyond legal cooperation to a more practical one that will hopefully encourage similar initiatives at a European level. It also has a very positive impact on CNIL’s image, showing that the institution actively looks at innovative ways to implement the regulation. It has also been an opportunity to bring a new kind of skills in-house, namely design, that shows to be highly appreciated and needed in such endeavour.
Challenges and Failures
One of the main challenge we’ve encountered is the lack of previous experience on managing a “fully” open-project. Indeed, the management of the open-source community is particularly demanding and we would need more tools and additional resources to properly address it. However, several lessons have been learnt and we have established a whole model of open governance that we will deploy and test by the end of the year.
The project is running smoothly and because it has been used by many organisations worldwide, our main challenge has been to organise feedback processing in order to address without undue delay the issues faced by our users.
Conditions for Success
We identify three conditions for success:
1. The European regulation and the applicability of the GDPR in May 2018 that made PIA mandatory in some cases, as well as a need for organisations to demonstrate compliance;
2. Bringing design skill in-house, allowing the project to be developed and implemented with a design mindset and putting the user at the center of the approach;
3. An overall collaborative approach by allowing external contributions to the tool through the open source community
The tool being open source, several stakeholders have deployed the project in their organisations (hospitals, government ministries, multinational companies and SMBs from various fields), and coupled it with existing tools and methodologies. Others, such as consulting companies, have seized the tool and developed new kinds of business activities on top of it.
So far, we have learnt some general lessons:
1. Getting the proper in-house resources: it is essential to get in-house the proper human resources with skills that match the nature of the project. In this specific case, a design approach was definitely needed to reach a high quality product by properly implementing a user-centric methodology to design the product. It is also essential to have this kind of knowledge in-house in order to have smooth interactions with service providers helping you to build the product;
2. Valuing the community contribution: be keen to involve progressively the relevant stakeholders in the project from the start in order to deliver a product that realistically answers the need of the final users. Confronting what you imagined with the requests of the users and other stakeholders is also a perfect way to challenge preconception or belief you might behold as the initiator of the project. This is particularly true when the project is openly released. From that point, contributions can be freely proposed and are bound to be discussed by all stakeholders.
3. Planning ahead: having an innovative will is important, but it is as important to thoroughly analyse the action and skills needed to deliver an innovative initiative or product. This helps to identify which trouble you might encounter and imagine how to handle them, as well as finding the opportunities that might help to promote the initiative.