An Analytical Approach to GDPR Compliance

Christop Grossbaier / October 13, 2017

Your Company and Consumer Data

From May to July 2017, 143 million consumers had their personal data exposed to hackers as credit reporting bureau Equifax had their IT systems breached. Consider that number, 143 million - thatโ€™s nearly half the entire United States population, and an incomprehensible figure for a data breach that contained birthdates, social security numbers, and credit card information. Did Equifax do enough to protect consumer data? Were consumers notified quickly enough that their data might be at risk? What will be the financial repercussions for Equifax?

One thing that becomes immediately apparent is that Equifaxโ€™s response to the breach wouldnโ€™t have cut it under the new standardized General Data Protection Regulation regulations in the European Union. This new set of rules is designed to hold companies accountable for the protection of consumer data. It includes regulations that require companies to take โ€œreasonableโ€ measures to safeguard data, and also to notify consumers when thereโ€™s been a potential breach within 72 hours - not several months later.

Companies that do business in Europe are preparing for sweeping changes in how they store and manage customer data as a result of these new GDPR regulations. There are a lot of things to do before the law goes into effect in May 2018, from appointing a Data Protection Officer to putting policies and procedures in place that ensure compliance. Most people are looking at GDPR from a security perspective โ€“ after all, it is about โ€œdata protectionโ€ โ€“ but thereโ€™s a significant role that big data and analytics will play to help companies meet the stringent new regulations.

Citizens trust companies with myriad personal data, and the main goal of GDPR is to hold these companies accountable for the way they use and protect that sensitive information. Any company that deals with personal data related to citizens of the European Union is subject to the law, so its impact is wide-reaching and companies around the globe need to pay attention.

There are three core guiding principles behind GDPRโ€™s design: consent, limitation and transparency. First, the law seeks to ensure that personal data is only processed when there is a lawful basis โ€“ and consent, in the form of a contract or legal obligation โ€“ for doing so. Next, it aims to limit the collection of data for specific, explicit and legitimate purposes, and restrict collection to as little data as necessary. Lastly, it requires organizations to be transparent by demonstrating compliance and being able to provide people with information about how their personal information is being used.

Non-compliance with GDPR has severe consequences, ranging from fines up to 20m โ‚ฌ or 4 percent of a companyโ€™s annual revenue (whichever is greater), to perhaps more damaging effects on a companyโ€™s brand and reputation. To avoid these costly penalties, companies need to ask themselves โ€“ and make sure they can answer โ€“ important questions such as:

  • How good is your understanding of the type of personal data that your company is processing?
  • What data were you given permission to process for which activities?
  • Can you explain the purpose of each instance where youโ€™re using personal data?
  • Are you able to demonstrate compliance to data subjects (i.e. customers) in a timely and efficient manner?

Data Transparency

To answer these questions, organizations need full transparency into every activity that impacts the processing of personal data. They need to establish a full record of activities and map out the business and functional processes for using personal data, and provide continuous reporting to ensure compliance. For most large organizations, itโ€™s a daunting task; the volume of data, and the complexity that comes with tracking how itโ€™s used, is too complex to manually unravel and record.

However, there is a solution readily available to businesses with existing IT systems. By tapping into a companyโ€™s event logs, Process Mining technology can reconstruct the journey that your customersโ€™ data takes through your organization. After ingesting and analyzing data, Process Mining provides a visual map of where personal data is coming from and where itโ€™s going so you can easily see if your organization is within the defined lawful grounds for processing.

For example, a large company in the banking industry partnered with Celonis as their Process Mining provider to monitor its Master Data Management process, and to monitor its procedures for opening new accounts. Celonis Process Mining technology gives the bank full visibility on how personal data is collected in its systems and any sources that are used to enrich that data. The company can clearly see when initial data collection takes place through an online form filled in by the user, and how that information is supplemented by additional data from credit check agencies and social media. The end-to-end visibility gives a clear understanding of this entire process so the company can see where any GDPR vulnerabilities lie. In a similar fashion, when it comes to the process for opening new accounts, the bank can see exactly how data is processed, from the initial account opening to its use for customer service or other activities.

Process Mining provides clear visibility into the source of customer data and maps out where and how it is being used in an organization to provide a number of benefits including:

Reduction in Time and Resources Spent Understanding how your data is processed can be tedious and error-prone. Process Mining reduces the time it takes to analyze the flow of data and with automation, improves the reliability to provide a genuine view of the way processes really work.

Reduced Risk of Fines and Brand Damage With steep fines and real potential for irreparable damage to a brand, full transparency into all processes related to personal data substantially reduces risks and makes it easy to demonstrate compliance to the executive suite, board of directors, regulatory bodies and your customers.

Sustainable Benefits While many companies have clearly defined best-practices for their business processes, the reality is that there will always be variations that occur and create inefficiencies. Process Mining can provide a transparent picture of real process flows, empowering an organization with the knowledge needed to identify and resolve inefficiencies, and generate additional value.

Itโ€™s time to get ready for GDPR, and the consequences of noncompliance can be significant. Looking at the big picture, thereโ€™s also a positive impact that can come from these preparations wherein organizations can use GDPR as a trigger to transform their business processes and become more efficient. Celonis Process Mining gives companies the ability to accelerate their journey towards GDPR compliance, while also identifying opportunities to improve efficiencies that reach much deeper into an organization.

Back to the blog