BPM: Meeting the GDPR challenge
Despite the long lead time to prepare for the EU’s General Data Protection Regulation (GDPR) and the potentially large penalties for violating it, many organizations were not prepared to fully implement its provisions when the regulation came into force in May 2018. In a survey by AIIM conducted after the deadline, for example, only 36% of the respondents reported having a dedicated privacy function.
About three-quarters had appointed a data processing officer (DPO) but the remainder had not, and some did not know if they needed to. (Not every organization is required to appoint one.) Substantial minorities (20%–30%) had little or no confidence that they could meet core compliance requirements, respond to new rights afforded to customers, or control personal information in their content systems. These are key provisions of a law designed to protect an individual’s rights to the protection of personal data.
A good starting place, according to John Mancini, chief evangelist at AIIM, is to identify where personal information is stored and where it is used. This step provides a good overview of the flow of data. “It is important to find out where personal information is exposed in an organization’s processes,” Mancini said. This in turn leads to the ability to identify potential vulnerabilities and set priorities for addressing them.
Processes drive compliance
Processes are at the heart of GDPR compliance. Among the top priorities in implementation, for example, are developing and documenting processes for obtaining opt-in consent and reporting data breaches. In addition, most of the provisions, such as data portability and the right of individuals to access information about the processing of their data, entail processes.
Business process management (BPM) software vendors have seen opportunities for implementing GDPR, both for identifying existing processes and developing new ones for compliance. “Finding and deleting personal data under the ‘right to be forgotten’ requirement of GDPR is a process problem, not a data problem,” noted Mark McGregor, head of strategy at Signavio. “You have to know how their data is being processed throughout the enterprise in order to find and delete all the instances of their name.” Part of the problem is that different systems may identify the same individuals in different ways; e.g., by first and last name versus email address or telephone number.
Signavio’s process mining allows discovery of processes such as the customer journey, so that each time personal information surfaces, the organization can be aware of its existence. Signavio’s Business Transformation Suite has three modules built around a collaboration hub: a process manager for modeling, a process automation engine, and process intelligence for analytics. Understanding the organization’s processes is necessary for compliance. “You can mine a database for an individual’s name,” commented McGregor, “but that does not tell which processes use the name with or without anonymization, or where anonymization does not match the new rules.”
Because of the depth and complexity of the regulation, companies may not actually have complied. One important factor in implementing GDPR, though, is making a reasonable endeavor to comply. “If an organization has made a demonstrable effort to locate all the instances of the use of an individual’s data,” MacGregor explained, “then even if the effort was not 100% successful, the intent would be recognized.” Organizations that have addressed processes rather than limiting their actions to protecting their database from breaches will be in a more defensible position.