The elephant in every Boardroom right now is GDPR, the impending and significant update to the old Data Protection Directive. Even though, from May 25th of this year, organisations that are not compliant with the new rules could face heavy fines, it seems that only a small proportion of businesses are proactively working to meet those regulations. Many are adopting a wait-and-see, or (even worse) and wait-until-we-get-audited, approach. And then, when the requests come flooding in from customers asking about the data that is held on them, they expect to deploy an army of administrators to sort the problem out. This attitude is optimistic at best, and foolhardy at worse.
To understand why, let’s first examine what the key changes to the regulations are and how they will impact businesses.
- Probably the biggest change from the old directive is the increased territorial scope, which means that any company that processes personal data of data subjects residing in the European Union is included, whether or not the company is located in the EU, or whether payments are required as part of the service.
- Any company in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). The fines are tiered, but even not having your records in order, or not carrying out an impact assessment, could attract a fine of 2% of annual global turnover.
- Consent must be ‘clear and distinguishable from other matters’, and it must be as easy to withdraw consent as it is to give it.
- The data must include privacy by design. This now-legal requirement means ‘the controller shall…implement appropriate technical and organisational measures…in an effective way…in order to meet the requirements of this Regulation and protect the rights of data subjects’.
It is this last requirement that is most relevant to the role of automation in maintaining GDPR compliance. The data subjects have a range of rights, all of which require effort and cost to carry out. For example, every data subject has the right to:
- be notified of data breaches ‘without undue delay’;
- access their personal data and understand how it is being processed, as well as having electronic copies of all data provided to them;
- be forgotten, which includes having all their personal data erased, having further dissemination of the data halted, and (if relevant) have third parties cease processing of the data; and,
- port their data to another data controller, by receiving their personal data in a ‘commonly used and machine-readable format’.
It is not hard to see the challenge that businesses will likely face with all of the requests for data access, data erasure and data portability. Without that privacy by design, many companies will struggle to comply, and therefore face heavy fines.
Automation, and particularly Robotic Process Automation, can provide very useful capabilities to help businesses cope with these new challenges. By automating those repetitive, rules-based processes a business can manage the peaks and troughs of demand without having to worry about non-compliance or SLAs being breached.
Of course, RPA is not the silver bullet that will provide immediate GDPR compliance – there are plenty of other aspects that need to be in place as well – but it certainly gives companies a huge shot in the arm to help maintain and manage their compliance after the May 25th deadline.