With just seven months to go to the General Data Protection Regulation (GDPR) compliance deadline, many companies still have wholly inadequate data management capabilities. Strict requirements for personal data security, privacy, and the right to erase, among other things, will cause severe headaches for many CIOs not only in the EU but in all regions, as organisations will have to know which data is and is not subject to the regulation, and where in the world it is stored.
No doubt many complex and conflicting scenarios will arise out of GDPR. For example, consider the following data-related issues:
• When a request to be forgotten comes in from a customer, how will the organization find all the occurrences of the same data across the vast enterprise IT estate?
• Will public and private cloud and other infrastructure providers be able to handle the requirements in a timely manner?
• What would be the knock-on effect of a customer asking for their data to be erased? What systems will be affected and how would that effect audit trails and other regulatory requirements, such as maintaining company-related data for audit purposes for several years?
These and a multitude of others will take many more years to understand, get guidance on, and resolve. In the meantime, companies must be compliant, or face fines that are the greater of €20 million or 4 percent of global annual turnover.
For those organisations that have not yet prepared for GDPR, the overheads of data management are increasing significantly. For example, they must figure out how to best obtain and maintain personal consent, handle access requests, process revocation of consent and requests to be forgotten, train personnel to know what they can and cannot do with data under GDPR, ensure outsourced services, cloud providers, other suppliers, e.g. in the supply chain, and partners are compliant, and run audits to check the readiness and effectiveness of the provider/supplier/partner ecosystem.
This is where, with its rules-based bots, Robotic Process Automation (RPA) could prove to be God’s gift to the laggards. Scenarios where RPA could be ideal include, but are not limited to:
• Running audits of data against consent and revocation databases for compliance
• Checking a queue of in-coming consent or revocation requests, and acting upon them, e.g., setting the right flags in systems or actively deleting data while maintaining an audit trail
• Producing audit reports
• Propagating changes of personal data and related consent across all the systems that hold that data, by cutting and pasting updates and maintaining consent-related databases
The role of AI
As organisations collect more and more GDPR-related data, Artificial Intelligence (AI) solutions could come into their own by helping with risk and impact analysis and reporting:
• How many systems will be affected by a GDPR consent and access related change?
• What is the knock-on effect on workloads and audits trails? How do these affect other regulatory requirements of data retention?
• How many systems will be affected, and what would be the impact on operations and other legal and regulatory requirements?
• What is the data security threat level of the day? What is the likelihood of data breaches on a daily/hourly basis, and what preventative measures could be taken?
• What security breach has happened and what actions have been taken? Who has been affected by it and must be notified?
Additionally, good governance is an imperative for GDPR. RPA and AI can be used to embed governance in daily operations for enforcing and monitoring purposes.
A new era of data protection is upon us. It is coming at a time when, some would say, that companies have taken far too many liberties with their customers’ data. The full implications for businesses are yet to be understood. But we believe that all organisations that hold or process personal data will experience some disruption in service delivery as a direct result of GDPR