On 14 April 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), making it a law to replace the data protection directive 95/46/EC. The objective of developing a new privacy law was to harmonize data privacy laws across Europe, protect and empower all EU citizens of their data privacy and reshape the way organizations across the world approach privacy.
GDPR applies to all organizations involved in processing data of EU citizens anywhere in the world. Non- compliance with the regulation may result in fines up to €20 million, or 4 percent of overall global revenue of organizations processing personal data of EU citizens.
The GDPR, which came into force on 28 May 2018, is seen by many businesses as an obstacle to their smooth functioning. With organizational data having multiple entry points, data flowing from one process to another, data processing through various applications, and data stored across various databases, important question organizations face is a means to ascertain where personal data resides within their system.
GDPR: Implementation roadblocks
According to a survey conducted by crowd research partners in April 2018, it was projected that almost 60% organizations were at risk of missing the deadline for GDPR implementation. As part of the survey, organizations highlighted the following as the primary challenges for complying with the regulations:
The survey also highlighted that almost 56% of respondents expected their organization's data governance budget to increase in order to deal with the GDPR challenges.
GDPR has forced data privacy officers/ information security officers and boards of various organizations to redefine their data privacy strategy and to comply with the requirements of the regulation. Its adoption has become the biggest challenge for a majority of organizations, with effective implementation of controls and adherence being the major roadblocks. Organizations need to understand and track how personal data is being collected, processed, and stored.
GDPR has introduced certain key aspects, which organizations will have to consider while defining their implementation strategy. In most cases, organizations will have to perform the entire process of reaching out to respective business processes manually, and understand from them the various sources from where personal data gets collected. The process of gathering this information will be repetitive and will involve additional work-force and time to perform.
Automation to the rescue
How is it then that organizations can overcome this manual activity and in turn save time and workforce involvement? The solution to this seemingly daunting task lies in automating the manual processes that integrate with organization business processes, systems, and provides a deep dive view of all data and storage points.
Wipro has been successfully developing models and strategies for clients to reduce their operational cost and workforce, with its Enterprise Operations Transformation framework. Robotic Process Automation (RPA) is a major lever of the EOT framework and is capable of handling high-volume, repeatable tasks. RPA can assist clients to automate their GDPR journey by managing several critical aspects to comply with GDPR requirements such as:
1. Personal Information Management
A third-party application can be integrated with RPA solution for customer correspondence and consent management.
3. Breach notification
Notify data subject of data breach within 72 hours in case any breach has been noted.
GDPR compliance through SAIX
At Wipro, we understand the challenges that organizations face while adhering to GDPR and are committed to transforming our clients’ GDPR compliance journey by automating the most complex tasks of data inventory management, consent management, data portability request, and data breach monitoring through our framework.
As part of our transformation offering, we rely on “SAIX” model for defining solutions for our clients. “SAIX” stands for:
Here is how the SAIX model aligns with the GDPR compliance automation (Figure1).
Wipro’s 4 phase approach
Wipro can help its customers automate their GDPR compliance journey in four phases:
Figure1: SAIX model alignment with the GDPR
Automation for GDPR compliance will help organizations:
Vinit Sinha - Associate Vice President – Compliance-as-a -Service, Wipro Limited
Vinit is an information security, data privacy and cybersecurity professional with over 12 years’ experience into operations, consulting and auditing information security/ cybersecurity standard and framework. Vinit drives Wipro’s endeavor of enabling organizations to strengthen their control environment to prevent data breaches and cyber-attacks. Vinit has deep domain understanding from varied experience serving across IT/ITES, business process management, telecom and others on developing effective risk management strategies.