Blog | Aug 13, 2019

RPA and DSAR Management – Things just got serious!


With the emergence of hugely punitive data breach fines over the last few weeks with British Airways being the first to be fined at £183 million; to be followed in quick succession by Marriott Hotels group at $124 million; to then be dwarfed by the FTC imposed fine against Facebook at $5 billion; to be quickly followed by Equifax with fine of $700 million as well as various executives already having gone to prison for insider trading, it’s safe to say that things have just got incredibly serious.

It is now imperative that every organization large, medium or small secure their infrastructure. Govern all data, but especially personal data incredibly well. Ensure that all personal data remains private and protects against every adverse activity possible, especially with the recent news at CapitalOne that a single disgruntled employee released 106 million personal records into the outside world.

But I hear you all asking, “What has any of this got to do with Robotic Process Automation?” and that is an incredibly important question.

If we go back to the simple basis of most of the recently published data protection legislation, there are a few fundamental questions that every organization needs to be able to answer:

  1. What personally identifiable data does your organization hold about clients, employees, suppliers, partners, contractors, patients, citizens, students etc etc?
  2. Where did that personally identifiable data come from?
  3. Where is that personally identifiable data stored?
  4. Who do you share that personally identifiable data with?
  5. How do you use that personally identifiable data?
  6. Do you have permission to hold and process that data?

Every organization should be able to answer these six simple questions, and should the worst happen be able to stand in a court law and explain that they have done everything in their power to protect that personally identifiable data.

The problem is that very few organizations have done enough preparation to be able to answer any of these questions, let alone secure their boundaries to prevent a data breach happening in the first place, as all the organizations listed above can testify. But please don’t be under any illusion - these organizations really are just the tip of a colossal iceberg which yours or any other organization could strike at any moment.

The main challenge with the six simple questions is that they are excruciatingly difficult to answer, and human beings are notoriously poor at undertaking the required analysis to even attempt to answer them. In addition to this, human employees are prone to getting distracted, making mistakes and wanting lunch or to go home mid-way through the process. That’s assuming you have the spare manpower with the requisite skills available to do the work in the first place, which very few organizations do.

So perhaps it's time to engage a digital workforce, a community of robots that never tire, never make mistakes, can follow lineage through systems to find every item of personally identifiable data no matter where its buried, at whatever level of completeness, accuracy and quality. To a level that no human could ever attain.

In its simplest form, every piece of data protection legislation now empowers the data subject (the person whose data you are holding) to own their own data. The data is NOT OWNED BY YOUR ORGANIZATION, rather it’s owned by the person – The data subject.

The truth is that this ownership by the data subject existed prior to the most recent rounds of data protection legislation, but very few people knew, and even fewer exercised their rights. But under current legislation, the data subject has rights of access, explanation, correction, reprocessing, re-profiling and erasure, to name a few.

So, it doesn’t matter whether your have been breached or not, any living person can place a Data Subject Access Request (DSAR) on your business at any time and under GDPR in the European Union you are required to provide complete and accurate information within 30 days of the request being made. The DSAR process is absolutely free and the data subject can make DSAR requests with reasonable frequency. So, any disgruntled ex-employee or dissatisfied customer can make regular requests – and they are doing it!

The question is “Can your organization manage this process, without huge disruption to regular business activities, to the required level of accuracy, in the time allowed?”

Now assuming that you haven’t had a massive data breach in the last 12 months which has required you to deploy the relevant technology, and you don’t have unlimited resources at your disposal, then it might be an appropriate time to consider deploying digital workers to crawl across your network to answer the six critical questions. Once you’ve answered them, finding the personal data on one or maybe multiple data subjects who may raise a DSAR request would be incredibly easy and achieved in a matter of minutes, leaving you the rest of the 30 days to get on with running your company.

In the simplest terms - robots are faster and more accurate than human beings at doing mundane repetitive activities. RPA and DSAR Management was a true marriage made in heaven. So, it doesn’t matter how serious things have become, it really is time to let the robots do what they’re good at!