Between May and July 2017, 143 million consumers were left vulnerable when hackers hit the Equifax credit bureau. Consider that number — 143 million — nearly half the population of the United States! This massive violation of personal data, including birthdates, social security numbers, and credit card information, gave rise to numerous questions: Did Equifax do enough to protect consumer data? Were consumers notified quickly enough that their data might be at risk? What will be the financial repercussions?
Equifax’s response wouldn’t have cut it under the European Union (EU) General Data Protection Regulation (GDPR). This set of rules holds companies accountable for protecting consumer data. It also requires “reasonable” measures to safeguard data, and a consumer notification window of 72 hours following a breach—not several months later.
Since going into effect in May 2018, GDPR has changed not only the way companies operate, but the way they view data. The law has three core principles:
Any business handling personal data of EU citizens is subject to GDPR, so it affects companies around the globe. Consequences for non-compliance range from fines up to 20M € or 4 percent of annual revenue (whichever is greater), not to mention the damage to a company’s brand and reputation.
Most people only view GDPR from a security perspective. It is, after all, about “data protection.” In addition to appointing data protection officers and implementing stricter policies and procedures, however, there’s a significant role big data and analytics will play in compliance. Companies need to ask themselves:
To truly answer these questions, you need full transparency into every activity impacting the processing of personal data. That entails establishing a full record of activities, mapping the business and functional processes, and reporting continuously to ensure compliance.
For most large organizations, that’s a daunting task due to volume and the related complexity of manually unravelling and recording data.
Keep track: process mining helps processing personal data correctly.
Yet by tapping into the event logs of your existing IT systems, process mining technology can reconstruct the step-by-step journey your customers’ data takes through your organization. With a visual data map in hand, you can easily see if you’re operating within the law for personal data processing.
As an example, a large banking company partnered with Celonis to monitor its Master Data Management process and procedures for opening new accounts. The company could clearly see the initial data collection through an online form, and how that information was supplemented with data from credit check agencies and social media. The end-to-end visibility of the entire process revealed where any GDPR vulnerabilities might lie. In a similar fashion, for its new account process, the bank could see exactly how data was processed and used, from account opening to customer service or other subsequent activities.
In addition to providing a real-time view into your as-is processes, process mining can:
Setting aside regulatory specifics and looking at the big picture, GDPR can facilitate process transformations that support compliance and lead to overall greater efficiency for your company. The first step in that journey is understanding how things run and where they can be improved, and that’s where Celonis Process Mining can help.
Southard Jones is Celonis’ VP, Product Marketing. Prior to Celonis, Southard held various executive product and marketing roles at enterprise software companies in the Business Intelligence, Analytics, and Data Science market, including Domino Data Lab, Birst, Right 90, and Siebel Analytics.