GDPR: Workflow Processes Can Help With Data Management

GDPR- Workflow processes can help with data management.jpg

By Mike Fitzmaurice

Under European Union regulations that go into effect in May 2018, businesses need to implement a variety of controls and monitoring of data privacy, and they need to implement a way to do things like provide customers with an easy way to see what information they have about them, a way to correct that information, and a way to delete that data (sometimes known as the “right to be forgotten”). The General Data Protection Regulation (GDPR) will make the EU’s already-strong personal privacy protections even stronger. It’s a detailed set of rules, and businesses failing to follow them can be subject to huge fines and penalties.

Those regulations — which apply to every business processing data relating to EU residents or customers, whether the business is located in the EU or not — offer an excellent example of how workflow platforms can assist with thorny problems.

A number of cloud services, on-premises software, and data stores will certainly be adding increased auditability and authorization features, but leaving it at that would make every single worker’s life much more complicated, and risk-laden, than it is today. That’s because a great number – perhaps the majority – of business interactions involve multiple pieces of software, services, and content.

Companies have two choices: (1) lots of training and policy manuals that explain where to go and what to do when as they rummage through customer data, or (2) implement automated processes that work with that data in a manner compliant with policies/law and let users run those.

We obviously advocate the second approach. Without workflow, compliance with multiple aspects of GDPR can be a nightmare of employee training and time-consuming to handle. And again, if only one employee takes a shortcut or makes a mistake, those EU fines loom into view.

On the other hand, if a company leverages a workflow platform, GDPR compliance can inexpensive, accurate, and repeatable. What’s more, a properly designed and coded workflow can be amended without requiring extensive employee retraining.

A Typical Scenario

A citizen of Portugal, João Lopes, contacts your business to ask what information you have about him. Perhaps that query comes in via a phone call, an email, or an online form. How are you going to find all that data?

For a small business, there may be a single customer database. For larger corporations, there are many potential data sources held not only by all your divisions and subsidiaries, but also your partners and contractors. That data may contain different spellings of João’s name (such as Joao), some with his middle name, some with different addresses. There are customer records, billing records, shipping records, social media tracking data, ad impression data, opt-ins, opt-outs. There’s data about his education, his income bracket, his favorite color, his political preferences, his favorite newspaper, his shirt size, whether he owns a Blu-ray player, his wife’s name, his wife’s favorite football team, his son’s age, his son’s favorite football team.

The data is not clean, it’s not in sync — there is no single source of truth. In the past, there’s been no ROI in correcting the discrepancies across hundreds of data sources. You’ve learned to live with it. However, under GDPR, you need to find all João’s data — and it makes sense to normalize his records in the process.

One approach to describing the proper procedure for retrieving João’s data would be to do an exhaustive research project to find all the data sources, and explain how to address them. You could then print those procedures in a 3-ring binder or a PDF – and hope that every employee who might be handling these requests will follow those processes to the letter. If a flaw is found in the procedures, you’ll need to update those manuals and retrain your employees.

What I’m describing sounds like a workflow. Why teach employees how to find the GDPR-mandated data, and then hope they execute it flawlessly? Why not have them submit a form, let a workflow fetch data in all of those places and gather it together? Why not automatically generate a document containing all of this you can give João? The workflow won’t forget a step, and will always log what happened in case there are regulatory audits.

Similarly, workflows can be used to identify data discrepancies, and then follow proper policies for fixing them. In some cases, those can be handled algorithmically (such as use the physical address specified in João’s most recent transaction); in others, it might be best to ask João to help correct the information, or give him the mandated option to delete it.

This Is Bigger Than The GDPR

Many things the GDPR either explicitly or de facto mandates are things we ought to do anyway. How many of us have been angered by data inconsistencies in our service providers – like the information in our airline’s frequent flier database doesn’t exactly match that on our driver’s license, which doesn’t exactly match that in our passport. Fixing these problems is an exercise in patience, and can take many frustrating hours on the phone, or faxing copies of documents.

More on GDPR by ITSPmagazine

It would be wonderful if companies had a single database, a single reference point. We all know that it can’t work that way for things like performance, complexity, history (e.g.,  multiple customer databases after a merger of two companies), and security/compliance. It won’t happen. We’ll need to keep doing things like storing information about our German customers in Germany and Canadian customers in Canada. We’ll want to keep customer data in Salesforce and accounts receivable data in SAP.

We can train our way out of this, code our way out of this, or rely on workflow processes to handle it for us. Only the workflow route both reduces risk and allows for easy changes as businesses add content, change policies, etc. It’s also likely to be the least costly in the long run as well.

One of my recent blogs presents a similar issue, about using content automation to improve security in credit unions and other financial institutions. As I wrote,

Leveraging a workflow automation platform into your technology system can help ensure that policies are not only in place but actually followed as they should be. With an automated workflow, businesses can ensure that all steps are followed and that only the information that needs to be shared with workers or external resources is shared with that audience.

That’s the case with GDPR as well. The new regulations are coming; it’s time to prepare your processes and supporting software solutions to address the requirements.

About Mike Fitzmaurice

Mike Fitzmaurice is the Vice President of Workflow Technology for Nintex, the world leader in workflow and content automation, and is its subject matter expert and chief spokesperson for workflow, business transformation, and technology matters.

More About Mike