Tag Archives: Automation

Mitigate, Automate, or Litigate?

Like an ageing boxer, the UK’s Data Protection Act 1998 is set to be eclipsed by a new heavyweight that warming up and ready to enter the ring some six months from now. Bigger, tougher, and up for the challenge, few can doubt GDPR is set to pull a good many punches and, possibly deliver numerous knockouts. If only a portion five thousand or so “issues of concern” the UK’s Information Commissioner’s Office (ICO) receives in a year were to metamorphose into valid breaches, there could be many red faces and blooded noses in firms large and small.

It’s important to remember GDPR is not just an IT thing; incidents such as disclosure of confidential information from the miss-directed documents in the post, irrespective of the cause, constitute a data breach and can result in punitive fines for company directors. GDPR requires a holistic approach from data controllers and processors to the range of risks facing data subjects face.

With the ICO now under the leadership of Canadian, Elizabeth Denham, a veritable grand master of Privacy, the risk of litigation with this body is not for the faint hearted, as a leading UK telecoms provider will vouch. The lessons learned from an October 2015 cyber-attack have resulted in a sea-change in a certain organisations approach to security of data, systems and processes, but at a cost. The ICO’s in-depth investigation found that the attack on the company could have been prevented if the said telco had taken basic steps to protect customers’ information. Along with a growing number of other notable household names, the firm has made significant progress transforming its data security and working process practices through the adoption of BPM methods.

Given the clear direction of Ms Denham and the growing number of “tools” available to the ICO to act on the consequences of breaches – whether by human or systems failings, or wilfully nefarious acts by criminals, failed litigation with it would likely come dire consequences for the board of any organisation. The October 2015 incident saw the firms CEO walk the plank not because of the £400k penalty the ICO imposed but due to the mass exodus of customers and reaction of the stock market. GDPR leaves no room for the apparent ambivalence in some quarters.

For all organisation touched by GDPR, mitigation is now the watch-word if “litigation” in any way, shape or form is to be avoided. All Data Protection policies must be updated in line with the GDPR guidelines and demonstrably enforced. But, in preparing for GDPR, there is a point at which all but the smallest firms will have to cross the Rubicon as the tasks required to effectively integrate GDPR into the working fabric and IT systems become more involved. The diversity of tasks to be addresses means there is no universal out-of-the-box solution.

A major task from the outset is ‘Gap Analysis’. This is the process of identifying where current processes and policies contribute to GDPR compliance or equally, where they create risks of breaches. In either case, risks must be catalogued. At this point, firms may wish to rethink how they document their standard operating procedures (SOPs), the majority of which still exist in written form. Business Process Mapping, a fairly static view of what/who/how and when has been eclipsed by Business Process Modelling best described flowcharts with the intelligence of spreadsheets and databases.

In brief, between now and 25 May 2018 we must align many of current operational processes to ensure compliance in a GDPR world. Experience shows that behind any one visible process there is a hierarchy of related and interconnected processes. Text-based procedural documents are best replaced with smart business process models to deliver insight and help reduce risk. With this Rubicon crossed, firms can move on to defining GDPR business processes ideally, automating them.

With resources, requirements, and risks documented in a process landscape (using BPMN, the now de facto standard for business process mapping), implementation, whether manual or automated can be easily audited and compliance confirmed. Making this a part of GDPR will not only help firms achieve compliance but will highlight any need for changes to information systems. Organisations currently taking a process centric approach to GDPR report significant benefits from more systematic mitigation of risks and the ability to sustain both updates and control of the compliance landscape.

By May 25th 2018 many new obligations and capabilities to fulfil them must in place ranging from consent management, requests about information held on the data subject, the Right To Access and Right To Be Forgotten (to name but a few). Without automation, the resultant workload may be outside of the resources and capability of many of the best-intended organisations.

With significant penalties for late responses to information requests such as the GDPR “Right To Be Forgotten”, there is speculation in some quarters that unscrupulous firms are preparing to emulate the claims bonanza now underway in the PPI miss-selling fiasco. If organisations are to mitigate the risks from what might turn into a gold rush on potential bonanza then automation of what would otherwise be human workflows is critical. Given the potential complexity to deliver a technology solution between now and May 25th, it would be reasonable to forecast many firms may be taken to the cleaners unless they recruit the required staff to respond manually (and within the defined time limits). Connecting new generation workflow tools to existing data systems, now possible from BPM solutions such as iGrafx, enables a rapid response to such requirements.

To find out what GDPR compliance could look like, and how leading organisations are transforming their approach and creating value from GDPR, contact iGx Solutions on (UK +44) 0844 576 3306 or contact the author of this post trevor.morton@igxsolutions.co.uk

GDPR – What could Compliance look like?

Despite the risk of unprecedented financial penalties from failures to demonstrate compliance, there remains some ambivalence to the impending dateline for GDRP compliance and the implications of the work needed. In stark contrast to some pessimistic views of GDPR, a growing number of progressive organisations are set on turning GDPR to their advantage going beyond compliance alone.

GDPR in no way resembles past initiatives such as Quality, where doing the very minimum to get through certification was, for many, preferable. Simply approaching GDPR as a documentation exercise will not suffice. The ability to systematically prove compliance and to be equally proactive in avoidance and elimination of potential data breaches requires deep knowledge of an organisation system and processes at a blue-print level.

Whilst GDPR guidelines make frequent reference to the need to document systems and organisational procedures, it makes no specific recommendation as to the medium to use, the options being textual documentation or graphical flowcharts. At this stage, lessons can learned from some of the more progressive companies that have pursued transformational initiatives such as ISO 9000, Six Sigma and Lean. Here, process models, information rich versions of flowcharts, with performance metrics, dynamic links – both up and down as well as across or processes hierarchies, plus hyperlinks where needed to external documents and data, have created new degrees of clarity and insight as to how businesses actually operate The new levels of transparency process models create go beyond the realms of textual documentation or conventional one-dimensional ‘flat’ flowcharts. With risks, roles, responsibilities and more besides stored in a live database either in the modelling tool (or Business Process Management suite (BPMS), process maps become dynamic models creating new levels of visibility and insight, eg: are we compliant?

GDPR is not about simply mapping the ‘as-is’ but about the need to create, validate, and promote adherence to secure processes, that ensure compliance as prescribed by the UK’s ICO. Process models using industry standard notation methods such as BPMN are essential, providing clarity for process users and the potential for process execution by IT systems. At all costs, avoid complex tools and methods which reduce adoption and success in the business.

In the event of a breech occurring, there must be planned and coordinated response that sees personnel, under the direction of the nominated DPO (Data Protection Officer), expediting a sequence of tasks to, where possible, rapidly mitigate the effects of a breech and in very short time, inform the ICO.

The management of risks, the Achilles Heel of data protection, should not and need not exist in a separate technology siloes. All employees need to be aware of risks, their likely and potential impact and the required steps they must take to ameliorate them. Current generation BPM suites connect risk registers with live processes whilst keeping responsible managers informed and alert, ready to react in a timely manner.

With the May 2018 GDPR date looming, any and every recognisable organisation that qualifies as a data owner or processer and having to become GDPR compliant, there is likely to be a significant spike in demand for either changes to existing systems or new IT functionality to create or improve the management of data. It is reasonable to say many IT departments and software vendors may struggle with the demand. For those organisations at the forefront of GDPR taking a process-centric approach using a business process management suite (BPMS), the ability to rapidly turn process models into functioning and executable processes creates new levels of agility and efficiency.

To find out what GDPR compliance could look like, and how leading organisations are transforming their approach and creating value from GDPR, contact iGx Solutions on 0844 576 3306

About the author – Trevor Morton is a member of the iGx Solution teams with over 15 years experience of BPM (Business Process Management).