Its role could become critical as GDPR comes into force to tighten legislation for any company handling information about European consumers, define strict rules for how data should be handled and enforce the rights of individuals to review and control their personal information.

Lawmakers have enhanced data access rights to ensure consumers can see what information companies hold about them, an issue that has become more topical since the recent scandal over Facebook’s data breach involving Cambridge Analytica.

Without automation, there are fears that these enhanced data review rights could prompt a flood of requests that mire companies in costly administration.

However, because responses to GDPR requests are likely to be limited to a small number of clearly defined processes, it is a perfect platform for RPA.

According to Deloitte, an average one minute of work for a robot is equivalent to 15 minutes of work for a human.

It is a view held by Ashley Winton, partner at McDermott, Will & Emery, who has raised concerns that some consumers could use enhanced rights to ‘punish’ companies for perceived failures, rather than to satisfy legitimate concerns about reviewing their data.

Speaking at the International Auto Finance Network conference, he said: “Data subject rights could be the bane of your life. Under the GDPR, individuals have more rights and there’s no fee for exercising them.

“So, if you think there’s a material risk you might be flooded by unhappy [consumers] and their complaints, I would try and automate if you can. Otherwise there’s a people-cost in dealing with them.”

Although there is a benefit to automation, implementing a solution requires careful strategic planning.

It is likely that companies most affected by the legislation will have an international customer base and multiple offices, which hold a variety of complex data sets in different formats across a wide range of systems.

These could all need to be interrogated to respond to a single consumer data enquiry, which may also involve changing or deleting records and keeping a clear audit trail of all modifications and amendments.

According to Dermot McCauley, vice-president of product marketing at robotic and financial process automation specialist Kofax, it is time for CIOs to investigate the potential value of RPA technology, if they haven’t done so already.

He said: “You can deploy automation quite quickly on a small scale to gain experience of the different types of automation for simple business processes that are currently highly manual, and therefore expensive, and then go from there.

“Companies are just becoming aware of the intersection between Robotic Process Automation and GDPR compliance.

“Put simply, when you receive any of these GDPR requests, software robots can obtain the information, carry out actions and provide a response, no matter where the data resides.”

Robots can dig out the relevant data hidden in structured or unstructured formats, ranging from databases to Excel documents and even scanned papers.
Initially, it is important to map out the different processes that individual GDPR questions will trigger throughout the company, to create a blueprint of what automation needs to achieve and how.

For example, the method of delivery for a data request might come by telephone, email, mobile device or even a letter and there need to be flawless processes for handling each channel.

A broad question such as “what information about me do you hold on your systems” might require an investigation covering email, PDFs, documents and spreadsheets, CRM databases and many more areas.

“Every time employees email, they might be distilling personal data,” McCauley points out.

Automated systems must identify whether an incoming request is a GDPR-related enquiry before ‘bots can respond and decide on the correct course of action.

To simplify the process, companies may want to provide clickable buttons on their websites to prompt specific actions, so customers can define their request at the outset and trigger the robotic process.

Alternatively, call centre staff might need to have the resources to start a request based on an incoming call.

As there will still be human involvement, it is also important that any interaction with systems is simple and intuitive, no matter how complex the process behind it.

Letters and paper-based requests might be more difficult to automate, but McCauley believes a paperless system, where documents are scanned and digitised on arrival, is a sensible approach to drive automated processes from the outset.

‘Cognitive robotics’ can be used to understand scanned pages and interpret them to activate a GDPR-related process.

Reynold Leming, managing director of information asset management specialist, Informu Solutions, says companies need to prioritise the creation of data inventories to cope with the sheer scale of the data challenge related to GDPR.

Inventories simplify the creation of audit trails and speed up access to the right data when enquiries arrive, but also ensure companies understand in detail what data they hold.

In addition to minimising enquiry response times, carrying out an audit could reveal areas at risk of a data breach or other issues that could incur hefty penalties under the GDPR regulations.

Leming, who outlined the key issues in a webinar alongside McCauley, hosted by AIIM, said: “With the sheer scale of personal data, it is essential to have auditing and a data inventory; you need robotic process automation to have the insights you require.

“Having an inventory helps you prioritise where to look and identify where information might be shared externally, so you can make sure you are complaint with GDPR.”

McCauley calls robotic process automation a “GDPR hero” because of its potential to avoid the administrative costs and management time that could otherwise be associated with the new legislation.

The debate is also raising awareness of the broader potential of automation in the finance sector.

For example, a large European bank used automation of processes to slash data-gathering time for critical procedures related to compliance, with customer due diligence and know your customer investigations cut from 15 minutes to less than two minutes, while anti-money laundering compliance fell from 20 minutes to less than three minutes.

Recently, Close Brothers Motor Finance revealed it was planning trials of robotics following the appointment of new chief operating officer Jaco Wilsenach.

For CIOs looking for further guidance, McCauley recommends joining like-minded communities where common issues are discussed.

This includes organisations such as AIIM, the global community of information professionals.

In addition to offering instructor-led and online education programmes and events, AIIM hosts an online community and discussion forum where technology professionals can share best practice and obtain help with project planning.

McCauley said: “You can also talk to companies such as ours and we can identify target areas for future robotic process automation.”

Further resources:

https://www.kofax.com/Products/Robotic-Process-Automation

http://www.aiim.org/

http://www.informu-solutions.com

Data considerations for CIOs

  • Ensuring legality throughout the information lifecycle: collection, use, storage, disposition
  • Supporting data accuracy and disposition
  • Ensuring security of physical and electronic data
  • Ensuring business continuity for physical and electronic data
  • Ensuring identification and accessibility of personal data to respond to data subject rights and requests
  • Maintaining robust data supply chain – controllers, processors, other recipients
  • Remaining accountable - keeping inventory and audit trail records for personal data and processes

Source: AIIM, Informu, Kofax

GDPR rights and Robotic Process Automation

  • Be informed - transparency over how personal data is used
  • Access - providing access to personal data, information on how it is used, and any supplemental data that may be used alongside personal data.
  • Rectification - having personal data rectified if it is incorrect or incomplete.
  • Erasure (right to be forgotten) - removing personal data when there is no reason to store it.
  • Data portability – providing copies of personal information for consumers to use elsewhere, such as if applying for financial products across several vendors.

Source: AIIM, Informu, Kofax