Governing Security with GDPR: The RPA Perspective
The numbers are staggering. Since 2005, more than 1 billion consumer records have been breached in 7,800 separate instances. Equifax, Target, and Neiman Marcus were the most prominent in 2017.
Gartner blogger and analyst Avivah Litan predicts that the stolen information may be: 1) sold and resold underground; 2) used to update existing identity records; 3) used to take over existing bank accounts, brokerage accounts, and phone service accounts; and 4) used by adversarial nation states to disrupt or steal from U.S.
All these have very serious consequences for individuals affected and the overall society, and the damages are very hard to quantify. That’s where the General Data Protection Regulation (GDPR) steps in to protect the rights of consumers by providing them with more control over who has access to their personal information and hold corporations accountable for how they collect and process information.
What is the GDPR?
The GDPR (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union. It is the latest in the series of regulations to formalize governance around security; PCI, FISMA, FCPA, HIPAA and other more formal standards precede it. Besides strengthening consumer rights, the GDPR begins to formalize security standards that companies must put in place to protect consumer data.
All European organizations, as well as non-European organizations collecting data pertaining to EU citizens, are expected to be GDPR-compliant. The new GDPR guidelines regulate the processing, storage, usage, and deletion of personal data. In line with the GDPR, data subjects must be given access to their own personal data, as well as real-time information about its use, upon request. Any breach that compromises an individual’s personal data must be reported to the appropriate supervisory authority.
The GDPR requires that enterprises take significant measures to protect consumer information. All enterprise software vendors are re-evaluating how they store and manage sensitive data. As the leading Robotic Process Automation platform, Automation Anywhere provides the most comprehensive set of security features in the industry, including:
- Encryption of data at rest, data in motion, and data in memory
- Static and dynamic analysis of code, and manual pen testing to ensure high application security. Code security can be measured using industry standard security scores. Automation Anywhere Enterprise is Veracode Level 5 (VL5) certified.
- A built-in or third-party credential security framework, like CyberArk, to ensure secure storage and management of user credentials. User credentials for mission critical applications should never be stored on the same machine that runs the software.
- Granular application of role-based access control (RBAC) across all functions. Separation of duties and independent processing domains implemented with RBAC support isolation and protection of data.
- Integration with enterprise-based authentication systems based on SAML 2.0 and single sign-on (SSO)
- Secure operations to ensure data is not exposed to threats during the execution of business process
- Detailed audit logs to support any audit process and forensic analysis
Robotic Process Automation (RPA) platforms touch many enterprise resource planning (ERP) tools and a massive amount of data in your organization. If you are using or considering RPA platforms, follow up regarding the security controls for GDPR environments with your vendor.
How can RPA help you implement the GDPR?
If you are currently relying on manual processing to handle customer data, any human errors could affect your company’s compliance. Regardless of how careful you are, there is always room for error, and your company is never entirely safe from non-compliance. RPA helps you automate the processes defined by your legal and business teams to be GDPR-compliant. Here are some ways Automation Anywhere customers are using bots to help them with compliance:
1. Document all data your company holds
With all the data collected from sensors, Internet of Things (IoT) devices, and office systems, an organization must be able to document all the data it holds, where it came from, and how it uses that data. Organizations must always be able to submit up-to-date reports to the data protection authority. When it comes to personal data, the GDPR requires companies to purge it once the defined holding period has been reached.
Here’s where RPA can help. Bots are employed to automate the process of masking personally identifiable information (PII) data across applications. Natural language processing (NLP) enables bots to recognize PII data that does not meet an established policy and generate alerts to intercept the issue.
2. Right to be informed
Under GDPR regulations, European customers can request to receive insights about how their personal data is used and stored within an organization. Done manually, this would require a team of people to navigate through all the company’s relevant documents to gather this information. Bots can automatically navigate through different systems, pull the relevant data and email a report back to the consumer.
3. Right to be forgotten
Under GDPR regulations, individuals have the right to have their personal information deleted promptly upon request. Without process automation in place, this requirement alone will require the IT staff to manually access and delete data from an average of fifty different applications. Bots can be orchestrated to delete customer information as soon as a request is received and validated.
4. Data breach
The GDPR mandates that in the event of a data breach, those affected need to be informed within 72 hours of the event. In the case of large breaches, such as with Equifax, where 143 million people were involved, notifying all the parties within 72 hours can be an enormous challenge. It is easy to orchestrate software robots to perform the job to ensure that the procedure is handled within the mandated time frame.
5. Audit logs
Enterprise RPA platforms are equipped with audit logs that monitor all operational processes, logging users and events at every stage of the process. In the event of a data breach, audit logs enable rapid root cause analysis, providing timely forensic analysis to identify and report a breach. Content relevant to a specific internal or external event can be aggregated in real time. This is especially useful if an organization needs to investigate fraudulent activity.
6. And what about the data you can’t see?
Hidden data is tucked away in legacy systems that are more than a decade old. While data might be accessed from this system from time to time, it’s now more important than ever to uncover customer data that is lurking in the shadows. RPA is the easiest way to integrate these legacy systems with your current technology platforms, and document available data that may cause you to be non-compliant.
As companies dissect and understand the regulation, there are fears that the GDPR’s enhanced rights of data subject could prompt a flood of requests that result in costly administration. Responses to GDPR requests are likely to be limited to a small number of clearly defined processes — making it a perfect platform for RPA.
The Automation Anywhere RPA platform improves control and oversight, as well as reduces costs and effort in implementing different aspects of the GDPR and other data standards that are expected to follow. With RPA, GDPR compliance becomes a non-issue.