The list of global legal regulations is long: PCI standards, regulation SCI rules, FISMA regulations, FCPA rules, HIPAA privacy standards, and more. Because all businesses — regardless of industry, geography, size, and revenue — are subject to regulatory compliance, it’s easy to get bogged down by the acronyms. And the European Union (EU) Parliament has approved the newest addition to this growing list of legal acronyms, the General Data Protection Regulation (GDPR).
GDPR harmonizes and unifies data privacy laws across Europe, with the aim of strengthening data protection for EU citizens and giving individuals better control over their personal data (whether it’s a name, an address, a picture or social media post, or medical information). All European organizations, as well as non-European organizations collecting data concerning EU citizens, are expected to be GDPR compliant by May 25th, 2018.
Though the importance and urgency of GDPR’s improvements are clear, various challenges exist in implementing the controls required for adherence, and maintaining compliance remains an area of risk, with non-compliance carrying fines of up to €20 million, or 4% of a company’s annual global turnover.
The new GDPR guidelines compel organizations to develop progressive capabilities for capturing, storing, using, and deleting personal identifiable information (PII), namely any data that potentially identifies a specific individual, allows for distinctions to be made between individuals, or could be used to de-anonymize anonymous data.
In order to maintain compliance with GDPR, it is paramount for businesses to identify what individual data are stored, where and for how long, as well as to categorize it by parameters of sensitivity, legal justification for holding, and storage duration. In this regard, organizations should also avoid storing unused PII. Moreover, companies must be able to apply pseudonymization or tokenization to separate data from any direct identifiers.
In line with GDPR, data subjects must be given access to their own PII, as well as real-time information about its use, upon request. They should be able to withdraw their consent and have the right to modify or delete personal data on certain parameters. Any breach that compromises an individual’s personal data must be reported to the appropriate supervisory authority.
It probably comes as no surprise that, for many European companies, these regulations require multi-faceted operational restructuring. Such adjustments are also accompanied by significant cost, often topping six figures. According to TrustArc, 53% of medium-sized ventures expected their GDPR spending to be between $100,000 and $500,000. Moreover, Financial Times projects—based on estimates from EY and the International Association of Privacy Professionals—that Fortune 500 companies will spend a combined $7.8 billion to avoid non-compliance with GDPR.
How can RPA support the legal considerations of companies with regards to GDPR, and what are the benefits of implementing this automation technology to support enforcement efforts? The UiPath Enterprise RPA Platform, in particular, enables companies to streamline compliance measures in the following cases:
UiPath can deal with mapping existing data from the organization’s databases as well as incorporating new data from various business processes. Natural language processing (NLP) can then be applied to identify, analyze, and classify PII based on data sensitivity as well as holding period. As part of periodic data clean-ups, software robots can also update system data based on rules engine inputs (e.g. purging identified PII once holding period is reached) and replicate these updates across all systems.
Customer consent management
As enabled by the UiPath Platform, individuals are given access to their customer portal where they can visualize, update, or delete their aggregated personal data in a unified viewing field. Customers also have the ability to directly export their personal data in a structured format, transmit it to another data controller via API, or use a personal data store to hold the personal data and grant permission to data controllers as required. UiPath Robots can also create triggers when individual data is used for business purposes and seek customer consent for data usage.
In order to streamline adherence to GDPR’s requirements of data anonymity, RPA can make data pseudonymous before storing and can automatically inform customers in case of a data breach. Moreover, because UiPath RPA Robots also save all their actions into an activity log file, businesses can better anticipate and manage compliance issues, proactively conduct internal reviews of compliance statuses, and effectively respond to a regulatory audit if necessary.
In order to better manage the operational costs and changes accompanying the introduction of GDPR guidelines, more and more organizations are turning to automation. In this regard, management consulting firm McKinsey & Company advises companies to:
“[b]ear in mind that adopting manual solutions to satisfy requirements such as ensuring data portability can lead to high ongoing running costs. Building an automated solution at the outset—such as APIs for data transfer—could simplify compliance and reduce costs in the long run if you believe there will be sufficient demand (for instance, for data portability) to justify the investment involved.”
UiPath RPA for legal processes helps modernize compliance throughout the value chain, with simplification, improved control and oversight, as well as reduce costs in managing customer data without the operational headache that’s typically associated with this topic.