27 Jun Robots on Guard to Protect Personal Data
The EU introduced updated rules for personal data protection, established by the General Data Protection Regulations (Regulation 2016/679 known as GDPR). It applies to all EU and non-EU companies alike, meaning international companies trading within the EU have to comply as well. The new regulations enable EU residents to better protect and control personal data handed over to other parties. According to GDPR, violation of EU regulations would cost up to €20 million, or 4% of the company’s annual gross income. What it means for businesses and clients, and how RPA can help, is explained in this article.
Who is affected
GDPR clearly aims to protect EU customers, but is also applicable to international businesses operating in the EU:
US and Japanese companies sell to clients in the Netherlands. Should these companies introduce GDPR measures? Yes
Because goods and services are sold to EU residents, adapted to local languages, and process payments in local currencies, goods and services are provided via national domains of EU countries, so GDPR is relevant to these businesses.
A company sells goods via processor company, not delivering to customers directly. Is GDPR relevant? Yes
The selling company in this case represents a controlling entity, responsible for maintaining valid and well-protected customer data at the processing company.
A company deals only with existing customers, no need to review privacy agreements, right? Wrong
Under new regulation, existing agreements must be re-validated in open and transparent fashion. On top of that, customers have the right to call off the agreement and request removal of their records.
GDPR offers better protection for customers, and at the same time GDPR introduces additional requirements for businesses. Companies will have to update or remove customer files, negotiate changes with business partners, inform regulators of security breaches and perform other activities on top of regular operations. Let’s have a look at some examples:
Customer sends you a request to remove his\her data
Normally you would ask an employee to pick up the request, remove records in all relevant systems and notify the customer that data has been removed. But with RPA, you can use a bot which will react to the email message, identify the removal request, login to your business applications, delete records, send confirmation to the customer and go back to stand by until the next request comes in.
Your company sells goods via processor, but you know that processor has limited resources and you are not sure if they can cope with changes
According to GDPR, sellers communicating with clients via a medium (processor) are responsible for making the processor compliant. You could discuss it with your partner company, but in this case you need to reach an agreement if you can make changes in the systems managed by your partner. Since bots are highly descriptive and structured, you can reveal bot code to your processing company, making clear that no other changes will be made.
A client is happy with the service, but sends you an email that he\she objects to using his\her data in statistical modeling
In this case the company has to make targeted modifications in systems where customer profiles are built and maintained. You can use RPA bots to make specific changes based on the context of an incoming request. Combined with cognitive tools like IBM Watson, you could use intelligent bots which understand natural language and route changes to specific applications.
More protection for customers
GDPR enables extended protection to private users, but is also means new tasks and processes for companies.
Remove customer data when it expires
You should (this is a requirement by law, therefore should here indicates obligation) not keep client records longer than required. Therefore, records will be removed once the end date arrives, as set forth by the user agreement. The user account has to be deactivated and all relevant user data has to be removed from company ledgers.
If your client base developed organically, then accounts would be distributed over time. Therefore, every day a check must be made if any customers should be removed, notified, etc. Normally you would ask an employee for help, but RPA bots are another alternative.
Communicate security breaches
Companies are required to notify regulators (and in some cases clients) of any violations related to personal data within 72 hours once security breach is detected.
Recent news of a hacker attack on Uber is an example of violation of this rule. Uber told the press that hackers had access to personal data of 57 million users and drivers a year later. Under GDPR it would be impossible to avoid a fine equal to 4% of the annual turnover.
RPA bots are not designed to monitor security breaches, but once identified you can use bots to send notifications to respective parties.
Make client data portable
This requirement aims at providing equal opportunities for new companies if users decide to change a service provider. Under new regulation customers can request to pack up their personal data and hand it over to another provider. This usually implies checking multiple sources, extracting, zipping and sending. Another job bots can do, isn’t it?
What is your strategy?
Once the scene is set, you can use RPA to carry out daily GDPR duties by checking, validating and interacting with clients and external parties. Obviously the same tasks can be handled by humans, but remember that fixing inconsistencies in any other way other than automation can lead to errors and timing issues.
If you want to know more about RPA technology you can reach me at firstname.lastname@example.org
Anatoly Chernenko, Senior RPA Business Analyst at You-Get B.V.