Creating ‘forget’ robots may help your business avoid fines
Many businesses are scrambling now, to be prepared for the impending changes in May 2018, to the General Data Protection Regulations (GDPR). The EU is going to the next level in its attempts to protect consumers from a data privacy (DP) perspective. One area that has a lot of companies very anxious is the right to be forgotten.
As of May 2018, any consumer can request to be forgotten. The request must be complied with to avoid significant fines. Each business will need a documented process of how they will scrub or remove the personally identifiable information (PII) connected to that consumer, in all their systems if there is no legal right or obligation to retain it. This can be a daunting task, depending on how many systems and cross system shares that may be in place.
This an area where Robotic Process Automation (RPA) may be the best answer. The first step in designing a “Forget Robot” is to document the details of all the places where data is stored (RPA 101 – requirements and process documentation). If this documentation doesn’t already exist, the RPA team needs to start compiling it now to be ready for May 2018! Once you identify all the places holding personally identifiable information, you will need to work with your data protection lead and your business stakeholders to decide if specific field data can be deleted or replaced, or if you need to delete the entire record. Some companies may wish to keep a record of a sale made to a male/female, in a specific age bracket, within a specific city for example, but would not be allowed to retain the PII connected to the transaction. A robot might just replace the PII fields with “*******”. System constraints may come in to play here also, with respect to how you may or may not be able to manipulate this data. In some cases you may have no choice but to delete the record. Clearly at this stage, you are designing the robot steps.
I have learned that PII fields sometimes come down to context. What other information is connected to a specific piece of data? If it is possible to derive a person’s identity through connected data, you will need to scrub the field in some manner. Your DP lead will be advising you to err on the side of caution as the fines can be significant.
The next challenge you will need to review with your DP Lead is what kind of detail that can be stored in the RPA logs relative to the task the “Forget Robots” carry out. The logs cannot contain any PPI information about the data that was just manipulated. At this stage you have moved from designing the Robot steps into the process, reporting and audit log documentation.
In some companies, there may not be resources available to carry out the right to be forgotten tasks. Based on the nature of the task, it is primed for RPA which adds a further degree of risk mitigation for your company as the robot will never miss a step or make a mistake. Your data privacy team likely has budget already, as most companies are anticipating new processes and controls will be required. This is your chance to show initiative, risk mitigation and save on costs by promoting “Forget Robots” to your organisation.