Robots on Guard to Protect Personal Data

Robots on Guard to Protect Personal Data

The EU introduced updated rules for personal data protection, established by the General Data Protection Regulations (Regulation 2016/679 known as GDPR). It applies to all EU and non-EU companies alike, meaning international companies trading within the EU have to comply as well.  The new regulations enable EU residents to better protect and control personal data handed over to other parties.  According to GDPR, violation of EU regulations would cost up to €20 million, or 4% of the company’s annual gross income. What it means for businesses and clients, and how RPA can help, is explained in this article.

Who is affected 

GDPR clearly aims to protect EU customers, but is also applicable to international businesses operating in the EU: 

US and Japanese companies sell to clients in the Netherlands. Should these companies introduce GDPR measures? Yes 

Because goods and services are sold to EU residents, adapted to local languages, and process payments in local currencies, goods and services are provided via national domains of EU countries, so GDPR is relevant to these businesses. 

A company sells goods via processor company, not delivering to customers directly. Is GDPR relevant? Yes 

The selling company in this case represents a controlling entity, responsible for maintaining valid and well-protected customer data at the processing company. 

A company deals only with existing customers, no need to review privacy agreements, right? Wrong 

Under new regulation, existing agreements must be re-validated in open and transparent fashion. On top of that, customers have the right to call off the agreement and request removal of their records. 

Business case 

GDPR offers better protection for customers, and at the same time GDPR introduces additional requirements for businesses. Companies will have to update or remove customer files, negotiate changes with business partners, inform regulators of security breaches and perform other activities on top of regular operations.  Let’s have a look at some examples:

Customer sends you a request to remove his\her data 

Normally you would ask an employee to pick up the request, remove records in all relevant systems and notify the customer that data has been removed. But with RPA, you can use a bot which will react to the email message, identify the removal request, login to your business applications, delete records, send confirmation to the customer and go back to stand by until the next request comes in. 

Your company sells goods via processor, but you know that processor has limited resources and you are not sure if they can cope with changes 

According to GDPR, sellers communicating with clients via a medium (processor) are responsible for making the processor compliant. You could discuss it with your partner company, but in this case you need to reach an agreement if you can make changes in the systems managed by your partner. Since bots are highly descriptive and structured, you can reveal bot code to your processing company, making clear that no other changes will be made. 

client is happy with the service, but sends you an email that he\she objects to using his\her data in statistical modeling 

In this case the company has to make targeted modifications in systems where customer profiles are built and maintained. You can use RPA bots to make specific changes based on the context of an incoming request. Combined with cognitive tools like IBM Watson, you could use intelligent bots which understand natural language and route changes to specific applications.  

More protection for customers

GDPR enables extended protection to private users, but is also means new tasks and processes for companies. 

Remove customer data when it expires 

You should (this is a requirement by law, therefore should here indicates obligation) not keep client records longer than required. Therefore, records will be removed once the end date arrives, as set forth by the user agreement. The user account has to be deactivated and all relevant user data has to be removed from company ledgers. 


If your client base developed organicallythen accounts would be distributed over time. Therefore, every day a check must be made if any customers should be removed, notified, etc. Normally you would ask an employee for help, but RPA bots are another alternative. 


Communicate security breaches  

Companies are required to notify regulators (and in some cases clients) of any violations related to personal data within 72 hours once security breach is detected. 

Recent news of a hacker attack on Uber is aexample of violation of this rule. Uber told the press that hackers had access to personal data of 57 million users and drivers a year later.  Under GDPR it would be impossible to avoid a fine equal to 4% of the annual turnover. 

RPA bots are not designed to monitor security breaches, but once identified you can use bots to send notifications to respective parties.  

Make client data portable 

This requirement aims at providing equal opportunities for new companies if users decide to change a service provider. Under new regulation customers can request to pack up their personal data and hand it over to another provider. This usually implies checking multiple sources, extracting, zipping and sending. Another job bots can do, isn’t it? 

What is your strategy? 

If you operate in the EU or plan to provide services or goods to EU customers, I suggest undertaking a comprehensive assessment of methods and means of processing personal data to bring them in line with GDPR rules. Most likely it includes revisiting privacy policies and Terms of Use for EU customers. Update internal data protection policies, train personnel, extend data processing checks, maintain documentation on processing processes, implement data protection measures and appoint a person responsible for processing personal data. 

Once the scene is set, you can use RPA to carry out daily GDPR duties by checking, validating and interacting with clients and external parties. Obviously the same tasks can be handled by humans, but remember that fixing inconsistencies in any other way other than automation can lead to errors and timing issues. 

If you want to know more about RPA technology you can reach me at  

Anatoly Chernenko, Senior RPA Business Analyst at You-Get B.V.