BPM: Meeting the GDPR challenge
Business value from compliance
Customers using BPM systems also saw the potential and sought input from their software providers. “We had customers asking us to help them with GDPR,” remarked Andrew Sutherland, enterprise solutions engineer at bpm’online. “We dug into the issue, and realized our customers could leverage the business process engine to create interactivity in the tools that log in the way in which data had been used, for example.”
bpm’online studio executes and tracks processes to collect information from customers as to how data could be used and to manage incoming requests for such information. “Any time a contact is being leveraged as part of a business process,” commented Sutherland, “the system creates a historical view of the interaction, and gets a list of all the interactions. The customer can then be shown how the data is being used.”
Sutherland sees an opportunity for organizations to obtain business value from interpreting GDPR and knowing the letter of the law precisely. “We have seen some changes in European- based companies in marketing campaigns based on what is allowed,” Sutherland noted. “U.S. companies now want to track different types of data and maximize what they can do with it.” However, he sees a lag in full implementation by U.S. companies compared to European companies. “At this point we do not see comprehensive use of BPM for implementing all aspects of GDPR,” he stated. “In many cases, companies are still trying to figure out what they need to do.”
Because of major data breaches in recent years, emphasis has already been placed on securing information contained in databases. “We found there were many solutions for cybersecurity, privacy, and detection—the technical side of compliance—but not many for governance of processes related to privacy,” said Giorgio Carpano, sales manager for AuraPortal in Europe. In addition, AuraPortal is a Microsoft partner and there was a push from Microsoft for GDPR compliance.
AuraPortal’s platform focuses on business users and is “zero code” so that processes can be designed through drag-and-drop methods. In addition to its BPM capability, the platform has a module for enterprise content management and business intelligence for analyzing workflow. The GDPR compliance application provides a kit of workflows and pre-developed processes that helps customers in governance of all those processes and activities related to data protection. It provides consent collection, automatic consent renewal, internal auditing, and automatic reporting of security breaches to supervisory authorities.
Some additional nuances of the regulation have added another layer of complexity for companies that use subcontractors. “Previous laws did not regulate the ownership of privacy data protection between a main contractor and a subcontractor,” noted Carpano. “With the new law, the main contractor is responsible, so they need to be able to monitor all the activity of subcontractors. Our solution governs all of these processes and data. If an audit comes from the local personal data protection authority, a DPO using our software has to access only one application to retrieve all the information.”
Market maturity
Automated processes are a particularly weak point in GDPR compliance. According to the AIIM survey, only 40% of companies have the capability to automatically delete personal information when required to do so. Under Article 33 of the GDPR, a breach now needs to be reported within 72 hours, or an explanation provided about why that could not be accomplished. In order to do this, organizations need to be proficient not only in tracking their data but also in automating their response.
The market is not mature, agreed Carpano. “Many are still evaluating solutions and still don’t have a clear picture of what they need to do. In addition, they are not yet allocating big budgets to these activities.” A wait-and-see attitude prevails, as companies keep an eye on court cases and the associated fines. “In southern Europe, some big fines are being applied to companies that did not respect the Robinson list,” Carpano observed. The Robinson list consists of individuals who do not want to be contacted at all with advertising, and companies are obliged to consult it before making contact.
It is not unusual for companies implementing BPM for operational purposes to review and improve their processes as they do so. The careful review of processes entailed with implementation of GDPR can produce similar benefits. Although the impetus comes from regulatory requirements, the outcome may also be beneficial for the business.
“Companies that have their act together and are more strategic will have a competitive advantage,” says Mancini. “The ones that took it seriously will have a better handle on their data, and if data is better controlled and secured, that has business benefits.” GDPR requirements might also help those who have been engaged in issues related to privacy (but have not always received C-level support) make their perspectives operational.” In addition, customer relationships can be strengthened when an organization takes steps to improve data security and ensure customer privacy.