6 steps to GDPR compliance
A lot can happen in two years. By 2018 we are expected to have witnessed the first human head transplant, Adobe Flash is predicted to be no more, the UK may or may not have left the EU and the flow of data into organisations will have increased by as much as five-fold, according to IDC.
Another significant development due in 2018 is the deadline for meeting new regulations around the treatment of personally identifiable information (PII). When combined with expected volumes in data growth, this could have huge implications for any business which processes personal data.
Earlier this year, the European Parliament passed the final vote on its new General Data Protection Regulation (GDPR), which is designed to protect personal information in an increasingly digital world. While the new laws won’t be enforced for another two years, it is a relatively short period of time considering that businesses will need to assess the new requirements, evaluate existing measures and plan a path to full compliance.
To help businesses understand the impact of the GDPR on their information management processes and where it fits within the wider regulatory landscape, here are six key steps to getting records GDPR-ready.
What is GDPR?
Designed to protect personal information in an increasingly digital world, the GDPR is by far the largest shake-up of data protection rules so far this century. It includes more than 50 Articles that have far-reaching implications for organisations and their use and storage of personal data. In essence, the legislation protects the right of a European citizen to determine whether, when, how and to whom his or her personal information is revealed and how it can be used.
The advice of the Information Commissioners Office is that businesses need to start planning their approach to GDPR compliance as early as they can. The problem is that many businesses across Europe remain unaware of how the changes will affect them and the impact they have.
There are a number of important steps you can take now to help your organisation identify where PII resides and understand your obligations towards managing it. With the prospect of multi-million Euro fines for non-compliance, can you afford to wait?
Step 1 – What is personal data and do I have it?
The first step in deciding which parts of the new legislation will apply to your organisation is understanding what is meant by personal data. The definition of ‘personal data’ in the context of the new regulation is data relating to a ‘data subject’ (a person) who can be directly or indirectly identified on the basis of that data. Such data also includes device identifiers, cookies or IP addresses. This means that, under the GDPR, data controllers within organisations should be aware of all personal data under their control and able to demonstrate that they understand the potential risks to information, as well as how to mitigate those risks.
Step 2 – Does GDPR apply to me?
Next, it is important to have an understanding of the key terminology included in the GDPR in order to know whether it is relevant to your organisation. As well as ‘personal data’, key terms to understand include ‘territorial scope’, ‘data subject access requests’, ‘data protection impact assessment (DPIA)’, ‘the right to erasure’, ‘data portability’ and ‘consent’. For further information on these, go to our knowledge centre, or find the glossary of terms on eugdpr.org.
Step 3 – Where does data live within my organisation?
In order to meet your statutory obligations, you first need to know where personal data lives. A detailed analysis of the data stored on corporate systems, employees’ personal devices, offsite archives and filing cabinets, as well as information stored by suppliers, subcontractors and business partners (people who process personal data on your behalf) will be required to give you the full picture.
Step 4 – Develop a data map and classify every piece of information
Following this analysis, we recommend creating a data map which provides a 360 degree view of all physical and digital information, including personal data, stored across an organisation. The data map is an important tool to ensure that you can quickly locate, assess and monitor all information on an ongoing basis.
Step 5 – Review and update existing policies
Once you know where your information is, you need to know what you can do with it and how long you are permitted to keep it. This requires making sure that your retention policies are up to date, reflecting legal, regulatory or contractual obligations so that you are only keeping what you should and that you’re destroying personal data (and all other records) when you are required to in a defensible way.
Step 6 – Maintain awareness and responsiveness
Finally, it is important to make sure that the business as a whole is aware of its obligations. Information passes through the hands of employees, contractors and suppliers, so all parties must understand and comply with the same retention policies. Just as regulations change and impose new obligations on organisations over time, your retention policies should remain dynamic and responsive, adaptable to evolving business and regulatory landscapes.
Organisations across Europe have long been familiar with the need to ensure that they store personal data according to the latest regulatory requirements. The introduction of the GDPR, however, and associated penalties for non-compliance – which could result in fines of up to four percent of annual world group turnover or EUR 20 million – means that it has now become critical to get data retention right.
Following these six steps is the starting point for avoiding the wrath of the regulators. Failure to act now will leave you rushing to catch up at a time when a mistake or oversight may be punishable by law and could cost your organisation dearly.
By Gavin Siggers, Director of Professional Services, Iron Mountain
Read the August 2016 issue of Business Review Europe magazine.
Automation of repetitive tasks leads to higher value work
Two-thirds of global office workers feel they are constantly doing the same tasks over and over again. That’s according to a new study (2021 Office Worker Survey) from automation software company UiPath.
Whether emailing, inputting data, or scheduling calls and meetings, the majority of those surveyed said they waste on average four and a half hours a week on time-consuming tasks that they think could be automated.
Not only is the undertaking of such repetitious and mundane tasks a waste of time for employees, and therefore for businesses, but it can also have a negative impact on employees’ motivation and productivity. And the research backs this up with more than half (58%) of those surveyed saying that undertaking such repetitive tasks doesn’t allow them to be as creative as they’d like to be.
“When repetitive, unrewarding tasks are handled by people, it takes time and this can cause delays and reduce both employee and customer satisfaction,” Gavin Mee, Managing Director of UiPath Northern Europe tells Business Chief. “Repetitive tasks can also be tedious, which often leads to stress and an increased likelihood to leave a job.”
And these tasks exist at all levels within an organisation, right up to executive level, where there are “small daily tasks that can be automated, such as scheduling, logging onto systems and creating reports”, adds Mee.
Automation can free employees to focus on higher value work
By automating some or all of these repetitive tasks, employees at whatever level of the organisation are freed up to focus on meaningful work that is creative, collaborative and strategic, something that will not only help them feel more engaged, but also benefit the organisation.
“Automation can free people to do more engaging, rewarding and higher value work,” says Mee, highlighting that 68% of global workers believe automation will make them more productive and 60% of executives agree that automation will enable people to focus on more strategic work. “Importantly, 57% of executives also say that automation increases employee engagement, all important factors to achieving business objectives.”
These aren’t the only benefits, however. One of the problems with employees doing some of these repetitive tasks manually is that “people are fallible and make mistakes”, says Mee, whereas automation boosts accuracy and reduces manual errors by 57%, according to Forrester Research. Compliance is also improved, according to 92% of global organisations.
Repetitive tasks that can be automated
Any repetitive process can be automated, Mee explains, from paying invoices to dealing with enquiries, or authorising documents and managing insurance claims. “The process will vary from business to business, but office workers have identified and created software robots to assist with thousands of common tasks they want automated.”
These include inputting data or creating data sets, a time-consuming task that 59% of those surveyed globally said was the task they would most like to automate, with scheduling of calls and meetings (57%) and sending template or reminder emails (60%) also top of the automation list. Far fewer believed, however, that tasks such as liaising with their team or customers could be automated, illustrating the higher value of such tasks.
“By employing software robots to undertake such tasks, they can be handled much more quickly,” adds Mee pointing to OTP Bank Romania, which during the pandemic used an automation to process requests to postpone bank loan instalments. “This reduced the processing time of a single request from 10 minutes to 20 seconds, allowing the bank to cope with a 125% increase in the number of calls received by call centre agents.”
Mee says: “Automation accelerates digital transformation, according to 63% of global executives. It also drives major cost savings and improves business metrics, and because software robots can ramp-up quickly to meet spikes in demand, it improves resilience.
Five business areas that can be automated
Mee outlines five business areas where automation can really make a difference.
- Contact centres Whether a customer seeks help online, in-store or with an agent, the entire customer service journey can be automated – from initial interaction to reaching a satisfying outcome
- Finance and accounting Automation enables firms to manage tasks such as invoice processing, ensuring accuracy and preventing mistakes
- Human resources Automations can be used across the HR team to manage things like payroll, assessing job candidates, and on-boarding
- IT IT teams are often swamped in daily activity like on-boarding or off-boarding employees. Deploying virtual machines, provisioning, configuring, and maintaining infrastructure. These tasks are ideal for automation
- Legal There are many important administrative tasks undertaken by legal teams that can be automated. Often, legal professionals are creating their own robots to help them manage this work. In legal and compliance processes, that means attorneys and paralegals can respond more quickly to increasing demands from clients and internal stakeholders. Robots don’t store data, and the data they use is encrypted in transit and at rest, which improves risk profiling and compliance.
“To embark on an automation journey, organisations need to create a Centre of Excellence in which technical expertise is fostered,” explains Mee. “This group of experts can begin automating processes quickly to show return on investment and gain buy-in. This effort leads to greater interest from within the organisation, which often kick-starts a strategic focus on embedding automation.”