Blog

Written by Ramesh Menon - Executive Director & Co-Founder, Cevitr 

Four years of debate and two years after approval from the EU Parliament, 25th May 2018 was the D-Day for GDPR (General Data Protection Regulation) compliance for European companies. It is nearly 6 months into the GDPR era and organisations have realized that being compliant and keeping it an ongoing organisational activity requires a lot of manual effort and continuous monitoring. 

 

GDPR has a clear set of rules for businesses and organisations to protect the personal data, rights and redress of EU citizens. If the basic principles of these rules are breached, the fines can be to the tune of up to €20 million or 4% of the global annual turnover of the company, whichever is greater. Despite these serious implications, it seems that a number of organisations, albeit well intended, are still struggling to cope with the impact of GDPR and consider the effort to be a drain on their resources. 

 

The challenge of handling GDPR compliance can be due to a number of reasons such as having a significant legacy of disparately located customer data, not having a system in place for active tracking and monitoring of the various data sources, starting late in combating the numerous challenges posed by GDPR and now scrambling to be compliant, dealing with volume of customer requests given the spike of data cleansing requests etc. Given these challenges, I believe that RPA (Robotic Process Automation) can help fast track GDPR compliance and keep the on-going process frictionless. RPA tackles the ‘D’ in GDPR by automating the mundane, repetitive and time-consuming tasks of data processing that are critical for compliance. It mimics the actions of processing information and data between multiple systems in less time than it would take for a person, with the added benefit of freeing up such persons to pursue other mission critical activities. 

Individuals or Data Subjects, who own the data, have the right to be informed about the data collected and used about them. RPA can help by sharing pre-defined privacy templates with these data owners, sending updates on privacy information and automating some of the processes in customer interaction, creating dashboards etc. 

 

This means that individuals have the right to request access to their personal data and to ask how their data is used by the company after it has been gathered. Any customer who asks for their data will have to be provided with a response free of charge. In B2C organisations, this could undertake a significant workload especially if there are several systems and databases that hold the information. Developing a single view of the customer could be an expensive IT project. With RPA, the entire activity can be automated with ease in a relatively cost-effective manner. 

 

This ensures that individuals can have their data updated if it is out of date or incomplete or incorrect. 

This is an activity that RPA can handle very easily across systems, provided the right rules are in place. 

 

Individuals have the right for their data to be deleted from the company systems once they exit. This can involve user data deletion from multiple systems and databases. Getting an IT solution for this activity would be a very cumbersome process, but an RPA based approach can be set in motion very quickly. 

 

Individuals can request that their data is not used for processing. Their details may remain in place, but no further processing can take place. Rules can be built so that RPA can execute actions once a request comes in to restrict processing from a user by making changes to the relevant systems. 

 

Individuals have a right to reuse their data from one provider to the other, necessitating the conversion to machine readable forms such as CSV etc. With RPA, data from multiple systems can be converted to a CSV or other formats very easily with no requirement to create complex programs or use APIs etc, which need significant time to develop and test. 

 

Individuals can request that their data should not be used for any direct marketing activities. As soon as such requests are received, organisations would have to act on it in a timely manner. This might require actions across multiple systems which can easily be automated with RPA. 

 

GDPR gives individuals control of their data in the case of their data being used in automated decision making and user profiling (e.g. analytics for user behavior). As outlined previously, individuals can request their data information from any company. Initial data extraction could take time and incur costs, especially if new automated systems are deployed for this purpose. RPA can be deployed to extract and perform actions to ensure organisational ease and compliance. 

 

There are other use cases for deploying RPA for GDPR compliance beyond those related to individual rights of people. For example, in case of a significant data breach, the Information Commissioner’s Office (ICO) and impacted individuals must be notified within 72 hours of first having become aware of the breach. Failing to notify such a breach can result in significant fines of up to €10 million or 2 per cent of your global turnover. 

In cases such as this, RPA can rapidly provide high-volume and timely processing capabilities when a surge of activities occurs, including automating part of the process of informing customers on the breach. 

 

As illustrated, the possibilities of the RPA technology to support GDPR are numerous facilitating otherwise arduous but necessary task of compliance, thereby delivering greater business process efficiencies.