Under European Union regulations that went into effect May 25, 2018, businesses need to implement a variety of controls and monitoring of data privacy, and they need to implement a way to do things like: 1) provide customers with an easy way to see what information they have about them, 2) provide a way to correct that information, and 3) provide a way to delete that data (sometimes known as the “right to be forgotten”). The General Data Protection Regulation (GDPR) will make the EU’s already-strong personal privacy protections even stronger. It’s a detailed set of rules, and businesses failing to follow them can be subject to huge fines and penalties.
Those regulations — which apply to every business processing data relating to EU residents or customers, whether the business is located in the EU or not — offer an excellent example of how workflow platforms can assure auditable compliance with complex regulations.
A number of on-premises software, cloud servers, and data stores will have to add increased authorization and create audit trails, and that burden will make day-to-day work life much more complicated, and expose significant new risk. This complexity and risk arises due to business interactions typically involving many parties, software systems, services, and types of content.
Companies have only two choices: (1) Mandate extensive training and develop and maintain policy manuals that explain where to go and what to do when processing customer data, or (2) implement automated processes that ensure working with data is done in a way as to be compliant with policies/law.
For obvious reasons, option 2 is the better choice: training is reduced and policies are enforced such that GDPR compliance represents neither a financial nor efficiency risk. On the other hand, without workflow, compliance with GDPR complexities represents an ever-present risk to the business and a drain on resources. EU fines await even a single misstep.
Companies leveraging workflow will see GDPR compliance become inexpensive, accurate, and repeatable. In addition, business processes automated with workflow can be amended without requiring additional employee retraining.
A citizen of England, Peter Summer, contacts your business to ask what information you have about him. Perhaps that query comes in via a phone call, an email, or an online form. How are you going to find all that data?
For businesses, customer information may be held in a single database (such as a CRM) or in many databases in many systems both internal to your corporation and external in partner or vendor systems. That data may contain different spellings of Peter's name (such as Peeter), some vendors or systems might record him with his middle name, some with different addresses if he has moved and systems haven't updated their records. There are customer billing records, project and work records, shipping records, website and social media tracking data, ad impression data, opt-ins, opt-outs. There’s data that is pulled and served up about his education, his household income, his favorite color, his political preferences, his favorite newspaper, his shoe size, whether he owns a boat, his wife’s name, his wife’s favorite baseball team, his daughter's age, his daughter’s favorite singer, etc...you get the point: there is a massive amount of (sometimes messy) data to manage and maintain.
In the past, there’s been no ROI in correcting the discrepancies across hundreds of data sources. You’ve learned to live with it. However, under GDPR, you need to find all Peter's data — and it makes sense to normalize his records in the process.
One attempt at describing best practices around accessing Peter's data would be to conduct an exhaustive research project to find all the data sources, and explain how to address them. You could then print these procedures in a PDF (or have a physical binder in the office to refer too) and then mandate that every employee who may handle these requests follows those processes to the letter. If you decided to update your procedures, you’ll need to retrain your employees. Keeping up with training and documentation will be a daunting task – compounded by employee turnover and regulatory change.
BPM/Workflow software is superior option to manually-driven compliance. Why teach employees how to find the GDPR-mandated data, and then hope they comply with handling it flawlessly? Instead, let workflow aggregate data from sources and automatically present it to Peter? Workflow won’t forget the process, will always log what happened graphically for audit purposes, and present accurate and repeatable reports to Peter.
Similarly, workflows can find and fix discrepancies or even present discrepancies to Peter so that he can properly and accurately adjudicate them.
Bigger Than The GDPR
GDPR explicitly mandates some things we ought to do anyway! Have you ever been frustrated by data inconsistencies? For example, maybe information in our health care plan database doesn’t match that on our driver’s license. Fixing these problems is time consuming and typically frustrating: long hours on the phone, sorting through and providing copies of documents to service providers, and oft-repeated conversations with different people at the same company.
More often than not, aggregating all customer information in a single database is not plausible: multiple databases are the rule. And databases multiple due to changing business focus, mergers and acquisitions, newly available technology. BPM/workflow works across these databases and can be readily modified as company infrastructure changes. Manually staying on top of change is impossible for most companies.
GDPR is here: use BPM/workflow to manage compliance, lower costs and risk, and lay the foundation for managing change.
Curious to know how workflow can impact your business? Set up a demo!