By Miguel Valdés Faura
Are you really ready to comply with the European Union’s (EU) General Data Protection Regulation (GDPR), which will be enforced beginning May 25, 2018? GDPR is being heralded as the most important change in data privacy regulations in two decades, and you’ve probably seen copious articles about how to prepare and plan for GDPR compliance.
But if you’re still in the GDPR auditing and planning stages, it’s time to move to the action phase. Coordinating all the software professionals and systems involved in achieving and demonstrating GDPR compliance is daunting. The right automation of business processes to comply with GDPR—and to prove that compliance—could well be what stands between you and hefty fines.
Stop Thinking of GDPR Compliance as a Purely IT Issue
Remember all the preparations in 1999 for the Y2K bug? You might view GDPR compliance as the next big over-hyped IT event. But it’s a mistake to treat GDPR as purely an IT issue.
GDPR compliance will likely touch every department in your organization, with multiple responsible people and numerous processes involved. The impact on software professionals could be profound.
Even if your organization doesn’t directly do business with EU-based customers or partners, you could still be subject to GDPR mandates. All it takes is one EU-based person to interact with your company, on any level, for your company to fall under the GDPR requirements.
For instance, one aspect of GDPR is what is known as ‘the right to be forgotten’ or Data Erasure. When an EU-based person requests that information be completely erased from your organization’s databases, think for a minute what that really entails.
First of all, GDPR personal data is wide ranging. According to the official GDPR website’s FAQ, it includes: “Any information related to a natural person or Data Subject that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Then, you need to determine the relationship of the requester to your organization. What systems might possibly contain personal data related to this person? It’s not as simple as saying that customer data will be found in your CRM system, or partner information in your in-house RDBMS.
Consider your internal processes around data. Could you have any of this person’s financial data, even if he or she hasn’t completed a financial transaction with your company? What about your marketing and sales systems? Customer success team? Customer support? Could anyone in your organization have referred to this person in any internal or external communication? Could the person have interacted with any of your social media networks? And what about the backups for all these systems?
What are your internal rules governing data management for each of these systems? For instance, what are the engagement rules for your marketing data? Are there rules for how data is to be deleted, or whether data has expiration dates?
Beyond auditing and documenting the location of all the internal data that might be affected by GDPR, have you actually begun implementing processes governing how all your systems manage specific data access, movement, and persistence? Have you put into action the appropriate workflows to respond completely to the right to be forgotten and other aspects of GDPR? This point of action is where a business process management (BPM) platform can be of enormous help.
BPM exists to bring order and efficiency to the flow of complex processes though process automation. BPM can streamline and simplify compliance with GDPR—making the intertwined processes more fluid—while simultaneously documenting process flows and providing traceability, which is a key point of proving compliance with GDPR.
Demonstrating GDPR Compliance
As mentioned a few times already, it’s not enough to simply comply with GDPR; you need to be able to prove compliance to the satisfaction of EU authorities. BPM platforms can be invaluable here because they not only manage processes in real time, they also create a traceable record documenting what happened and when.
Here’s a quick example, a software company needs to document compliance with an EU person’s request to be forgotten in all its systems. The majority of the company’s data is in a SalesForce system, but personal data might also be found in the company’s accounting, marketing, and software license tracking databases, as well as on various social media posts.
A BPM platform can assist in finding, deleting, and documenting the deletion of the requestor’s personal data across all these systems. The BPM platform creates a time stamp that tracks each step of every process. It identifies who in the company is responsible for deleting the information from which databases, then records when each deletion occurred.
As middleware, BPM can also manage processes across different applications in your organization. Without BPM, the alternative would be to write processes for each of your databases individually. This manual approach makes it much more difficult to not only make sure you’ve checked every applicable database, but also document that every instance of the requestor’s personal data has, in fact, been deleted.
Getting Ready for the Next ‘GDPR’-Like Challenges
It’s important to remember that GDPR itself is a process, and a complex one. It’s not a checklist or a series of random steps. It can be set up as a disciplined process to manage personal data across all your organization’s databases. For that reason, a BPM platform is ideally suited for GDPR compliance.
In addition, a BPM platform lets you transform your business processes to be compliant with GDPR while continuing to leverage your existing IT assets. You can begin working with the BPM platform to structure your GDPR-related workflows and systems so they support efficient completion of compliant tasks. With this model for process management in place, you can add the platform-based applications you already use, including customer relationship management, enterprise resource planning systems, and custom developments in Java, .NET, or legacy infrastructure.
In our increasingly interconnected world, data management and data privacy issues aren’t going to get any easier. Maybe the challenges of GDPR caught your company by surprise. Perhaps your organization’s processes are just simple enough that you can handle them manually—for now.
But by putting in place a BPM platform, you’ll be better prepared to handle any future data management regulations that are sure to emerge. SW
As COO and co-founder of Bonitasoft, Miguel Valdés Faura is recognized for his business process management expertise and his passion for building open-source community. Contact him on Twitter at @MiguelValdes or by email at firstname.lastname@example.org.
Mar2018, Software Magazine