Between May and July 2017, 143 million consumers were left vulnerable when hackers hit the Equifax credit bureau. Consider that number — 143 million — nearly half the population of the United States! This massive violation of personal data, including birthdates, social security numbers, and credit card information, gave rise to numerous questions: Did Equifax do enough to protect consumer data? Were consumers notified quickly enough that their data might be at risk? What will be the financial repercussions?
Equifax’s response wouldn’t have cut it under the European Union (EU) General Data Protection Regulation (GDPR). This set of rules holds companies accountable for protecting consumer data. It also requires “reasonable” measures to safeguard data, and a consumer notification window of 72 hours following a breach—not several months later. Since going into effect in May 2018, GDPR has changed not only the way companies operate, but the way they view data. The law has three core principles:
Consent: Personal data is only processed when there is a lawful basis and contract or other legal obligation for doing so.<!— htmlmin:ignore —>
Limitation: Data collection is restricted to a minimum and can only occur for specific, explicit and legitimate purposes.<!— htmlmin:ignore —>
Transparency: Organizations must demonstrate compliance and be able to provide people with information about how their personal data is being used.<!— htmlmin:ignore —>
Any business handling personal data of EU citizens is subject to GDPR, so it affects companies around the globe. Consequences for non-compliance range from fines up to 20M € or 4 percent of annual revenue (whichever is greater), not to mention the damage to a company’s brand and reputation.
Most people only view GDPR from a security perspective. It is, after all, about “data protection.” In addition to appointing data protection officers and implementing stricter policies and procedures, however, there’s a significant role big data and analytics will play in compliance. Companies need to ask themselves:
How good is our understanding of the type of personal data we’re processing?<!— htmlmin:ignore —>
What data do we have permission to process and for which activities?<!— htmlmin:ignore —>
What’s the purpose of each instance where we’re using personal data?<!— htmlmin:ignore —>
Can we demonstrate compliance to customers in a timely and efficient manner?<!— htmlmin:ignore —>
To truly answer these questions, you need full transparency into every activity impacting the processing of personal data. That entails establishing a full record of activities, mapping the business and functional processes, and reporting continuously to ensure compliance. For most large organizations, that’s a daunting task due to volume and the related complexity of manually unravelling and recording data.
Keep track: process mining helps processing personal data correctly.
Yet by tapping into the event logs of your existing IT systems, process mining technology can reconstruct the step-by-step journey your customers’ data takes through your organization. With a visual data map in hand, you can easily see if you’re operating within the law for personal data processing.
As an example, a large banking company partnered with Celonis to monitor its Master Data Management process and procedures for opening new accounts. The company could clearly see the initial data collection through an online form, and how that information was supplemented with data from credit check agencies and social media. The end-to-end visibility of the entire process revealed where any GDPR vulnerabilities might lie. In a similar fashion, for its new account process, the bank could see exactly how data was processed and used, from account opening to customer service or other subsequent activities.
In addition to providing a real-time view into your as-is processes, process mining can:
Reduce Time and Resources Spent: Automated data flow analysis removes tedium and the risk of errors, improving speed and reliability of the results.<!— htmlmin:ignore —>
Reduce Risk of Fines and Brand Damage: Full transparency into all processes related to personal data makes it easy to demonstrate compliance to your executive suite, board of directors, regulatory bodies and customers.<!— htmlmin:ignore —>
Facilitate Sustainability: Even the most clearly defined best process practices have variations, but a genuine picture of all aspects of your process flow empowers you to identify and resolve inefficiencies.<!— htmlmin:ignore —>
Setting aside regulatory specifics and looking at the big picture, GDPR can facilitate process transformations that support compliance and lead to overall greater efficiency for your company. The first step in that journey is understanding how things run and where they can be improved, and that’s where Celonis Process Mining can help.