Automate GDPR Right to Access Requests with SAP Intelligent RPA
In this blogpost I will explain you the use case of automating General Data Protection Regulation (GDPR) requests with RPA. We, as consulting experts from enmore and BTC, analyzed how these processes currently take place in companies, what needs to be done to ensure the GDPR requirements are met and how to create a desirable offer for potential customers. In this use case-oriented blogpost, I will give you some insights about the work we have done so far.
Table of contents:
- Information about the current GDPR requirements
- Findings of our field study and explanation of the existing problem
- How RPA can aid in the process of answering GDPR requests
- Benefits of having a bot doing part of the work
The Background – GDPR Legislation
The European Data Protection Regulation is applicable as of May 25th, 2018 in all member states to harmonize data privacy laws across Europe. Consumers have as defined in Article 15 GDPR the right to request personal data stored by companies. This rule applies to any company doing business in the EU member states so they must provide information about the following topics:
- Purpose of the processing
- Categories of personal data
- Potential recipients or categories of recipients
- Envisaged period of storing
In addition to that a copy of the stored personal data must be created and sent to the requester. In general, the request needs to be answered within one month.
The Problem – No Standards and Time-Consuming Work
At the beginning of the project, we conducted a small field test, with companies of the utilities industry and large corporations like Amazon, Facebook and Schufa. We identified that the companies took very different approaches to answer the requests. Especially for the small and medium sized utility companies we could identify that the process for answering the request is far off being standardized.
There were clear mistakes and insufficient information given. Many of the replies were even signed by hand and in some cases, there were careless typos included. Obviously, those are quality issues that could potentially lead to fines, loss of trustworthiness and unsatisfied customers.
To answer these requests, we identified that data protection officers by themself usually do not have access and the knowledge to interact with the systems where the personal data is stored. Thus, he/she needs to get in touch with the respective lines of business to request the stored data. Clearly a case where silos within the company, create communication hurdles. These hurdles in result make the task to answer requests a tedious and laborious work. In addition to that, answering requests are not value-adding tasks so they should be automated wherever possible.
The Solution – Automate it with RPA
This is where the power of RPA comes into place. The process by itself is very rule-based, it occurs depending on the company in a repetitive frequency and usually includes several systems where data needs to be retrieved from. In addition to that input as well as output data is digital.
As shown in the image below the process of answering requests manually follows several steps. The steps indicated in green are the ones RPA will be applied.
For standard requests via email, it would be too complex to fully automate the process. Especially the checks and verifications at the beginning are cognitive task where unstructured inputs are involved. Those kinds of tasks can usually be done much quicker and more accurate by humans in comparison to machines. The bot will take over and assist the data protection officer during the lengthy steps of the process. Those include looking up personal data of the requester in the various systems and copying as well aggregating them into a document that will be send. Before answering the request, the collected information should be checked one last time to ensure that the information will be send to the correct recipient.
By using forms, chatbots or a button in a digital service center the input data is structured, and the reply can be created as well as send out without all the manual verification tasks. This is example shows once again that the full potential of process automation can only be achieved by combining several tools. RPA by itself is very powerful but it has its limitations and to fully automate processes it must work together e.g., with chatbots, document processing or APIs.
Some GDPR cases and requests can become very complex especially when the main focus of the requester is to harm the company. This can be the case by requests from former employees. These kinds of special cases are not reasonably automatable. Process automation with RPA focuses on the happy path which may include 80 % of the requests. Including higher complexity is generally possible, but in most cases not financially viable. Standard requests from customers according to Article 15 GDPR can easily be automated, but as soon as complexity rises, and strong cognitive capacities are needed the human worker is irreplaceable.
By having a bot aiding the data protection officer the following benefits can be unleashed:
- Standardization of the procedure for responding to GDPR requests.
- Reduction of workload and higher guarantee of compliance with deadlines.
- Minimization of risks, sources of errors and avoidance of potential fines
- Uniform form and consistent content of response letters
- Increased customer satisfaction due to fast and proper responses
If you are interested in automating this process in your company or if you want to learn more about this use case, feel free to get in touch with us.
Let me know about your thoughts concerning the application of RPA in the use case of answering GDPR requests.