There were mutterings last year about the General Data Protection Regulation – more commonly known as GDPR – which is set to become a legal requirement in 2018. It was flagged in emails, mentioned briefly in meetings, but mostly, people just put a pin in it. But now the 25th May 2018 indoctrination date is a matter of weeks away, so it’s time to think about how it will affect your digital processes…
What is GDPR? (For those who have avoiding this problem until now!)
GDPR is being brought in to enable people to know, understand and agree to what their data is being used for once it is captured. This means that organizations must make it clear why and how personal data is collected, stored, processed and accessed. Once personal data is captured, it must be adequately protected to give customers and employees peace of mind that their personal data is secure.
If you have any European (including British) customers or employees, then GDPR is a legal requirement. GDPR is an EU requirement, but despite Brexit, GDPR is being introduced to UK law to ensure a data protection framework that is “suitable for our new digital age, allowing citizens to better control their data.”
Organizations must identify all personal data in all their systems. Then ensure that throughout all touchpoints in their processes, the handling of that data is GDPR compliant. Not only that, they must demonstrate this compliance and show “accountability” according to Article 5 of GDPR. Non-compliance could mean you are hit with a huge penalty – up to 4% of your total annual turnover.
OK great, so what exactly do you need to do about it?
You will need technology in place to ensure that your processes are compliant – you should ensure that the platform not only serves your current need of becoming GDPR compliant but also that it is flexible enough to “mold to the process and cultural aspects of your organization” as Computer Weekly highlights.
The software should help to meet the need for rapid, democratized digital transformation via the process application platforms and address the growing need for agile regulatory response “by design”. – These two requirements are not competitors, but in fact, bedfellows when it comes to BPM.
In order to tackle the data privacy- by-design issues, you identify the problem before you can solve it. This means that the first step is to map out all your organization’s business processes and understand where all personal data is stored in all your systems. From here you can ensure that all processes handing data are secure and are GDPR compliant.
You should then set in place a Data Protection Impact Assessment (DPIA) for all your processes that handle personal data. By making this mandatory, you can follow a privacy-by-design approach and ensure that you are adhering to GDPR. The steps of a DPIA are as follows:
- Describe the process
- Assess the risks
- Identify the measure to address these risks
- Specify how you will demonstrate compliance
As IT Governance highlights, DPIA should be “treated as a continual process, not a one-time exercise,” in order to ensure that processes are secure.
In terms of security-by-design, GDPR does not set out particular standards to be met, which can make the process unclear. Article 32 of the regulation highlights that you need to show evidence of “regularly testing, assessing and evaluating the effectiveness” of your implementation and “technical and organizational measures to ensure a level of security appropriate to the risk”.
Tighter security measures should mean no breaches, but if the worst should happen, your organization needs to ensure that data breach management is in place. Article 31 of GDPR stipulates in the case of a personal data breach, data controllers must report any breach within 72 hours to authorities and affected users. However, users do not need to be contacted if the data was encrypted or there is no “risk to the rights and freedoms of individuals.”
Understanding consumer rights and Subject Access Requests
Under GDPR, consumers will also be able to request Subject Access Requests (SARs) to find out what personal data is held on them, so you will need to be able to release this data when requested in a safe and secure manner. At present, an SAR costs up to £10 with a response time of up to 40 days, but under GDPR, SARs will be free and data controllers will only have one month to respond.
A recent study by Exonar found that 57% of people would raise a SAR come May with a third of people enquiring at their bank and 16% to their credit card provider. According to DataIQ, this could result in around 21 million current account holders raising a SAR and around a further 8 million credit card holders also asking for information held on them. The research also found that consumers are worried about how their data is managed today: 27% are concerned their data could be sold, and another 27% said they worried about hacking.
Non-compliance could result in hefty penalties – “fines up to 20,000,000 EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover” according to Article 83 of the regulation. In addition, the data subjects affected could claim for compensation via a class action lawsuit.
But it’s not just the initial monetary fines you need to worry about when it comes to non-compliance – the big concern is your organization’s reputation. Customers may withdraw their business if they feel that their data could be compromised or misused, which in turn could lead to share price damage and a tainted name within your industry that could destory your brand reputation you have spent so long building.
This is starting to sound like a nightmare! So how can Bizagi help?
With Bizagi, you can both identify and secure your processes that use personal data. Bizagi Modeler can help you to quickly build processes so you can easily carry out Data Protection Impact Assessments and be reactive to legislative changes – both GDPR and any pending future regulations.
STEP 1 – Define and refine your processes
Using Bizagi Modeler, you can establish governance by creating a timeline to see what happens in all of your organization’s business processes that handle personal data. From here, you can view a diagram that maps out the process and sub-processes. Through this, you can then identify the risks, see who is responsible for each sub-process and make everyone aware of the new GDPR regulations.
STEP 2 – Turn processes into applications
Then using Bizagi Studio, you can rapidly create enterprise process applications that power the processes you need to be compliant, automate as many actions as possible, and make it easy for people to take the actions they need to take. You can assign tasks to the correct member of staff using forms and business rules behind the process.
The risk assessment process is clear and easy to follow through forms which can be designed to highlight the system details and the risks that have been identified, and the measures that should then be taken to reduce the risk. Risks can be scored to indicate severity so that you can prioritize what needs to be addressed first. You can then generate a report to show what risks have been identified and how they have been solved.
With Bizagi you can make the most of your current software stack as Bizagi wraps a layer around legacy systems and third-party technology. It connects easily with your existing technologies, so no need to rip and replace. And everything is done through a low-code approach to create an agile system that you can manage with ease. Sounds great? Don’t take it from us, our ease of use and sky high customer satisfaction are recognized in the latest Gartner Magic Quadrant (Download Free).
Do you want to see Bizagi in action in a GDPR context?
You’re in luck, not too long ago we ran a webinar on ‘How a Digital Business Platform can help you reach GDPR Compliance’. Here it is below, all you need to do to watch it is sign up for a BrightTalk account, which is super simple.