A process approach to GDPR

GDPR banner

As from May 2018, any organisation dealing with European customers will need to be GDPR-compliant, it is worthwhile to have a look at the impact of this new regulation for those business processes, and how BPM may facilitate the GDPR-compliance. Let us first have a look at what GDPR actually is.

GDPR in a nutshell

What is it?

GDPR stands for General Data Protection Regulation. It’s a regulation aiming at protecting data on – and thus privacy of – European citizens in a coherent, uniform way across all EU countries.

Who should comply with it?

It is applicable for any organisation dealing with personal data – i.e. data through which someone may identify persons. Thus not only their (first & last) names, phone numbers, physical address, etc. though also data like e-mail adresses, IP-addresses, usernames. Or even one’s aliases, shoe size, medical data, beliefs, etc.

Not only commercial businesses will need to be compliant. Also non-profit and governmental organisations who gather or use personal data will need to comply with GDPR.

And not only European organisations, though any organisation in the world storing or managing personal data of European citizens.   

GDPR’s key principles

Before looking at how BPM enables GDPR’s implementation and how it helps to ensure its compliance, let us look at GDPR’s main principles and how it may impact your organisation.

1. Transparency & consent

TransparencyPersons whose data you are storing or using (called data subjects), must be informed about the fact that you store and use these data. They must also be able to know why you store these data, for how long you will store these, etc.

Consent means that your organisation is not allowed to keep data about persons when these do not agree with. You should even be able to demonstrate the consent of persons you obtained data from.

2. Right to access

If you are anyhow active in the EU, any EU-citizen might ask your organisation whether personal data concerning him or her are being processed.  And if so, where and for what purpose.  

As an organisation, you must (be able to) provide a copy of ‘his’ or ‘her’ personal data on request, free of charge and in an electronic format.

As soon as persons notify you that the data you store about them is incorrect or obsolete, you are responsible to update these.

3. Right to be forgotten

The data subject has the right to request the organisation storing or processing ‘his’ or ‘her’ data to remove these from your database(s). At least, as long as the public interest in the availability of the data is not at stake.  

4. Breach notification

Whenever a data breach takes place which may result in a risk for the rights and freedoms of the persons involved, the organisation must notify this breach within the 72 hours of having first become aware of it. And it must notify its customers, controllers,… ‘without undue delay’.

Portability5. Data portability

This means that citizens can transfer their data from one service provider to another. Thus, data subjects who have provided ‘their’ personal data in a ‘commonly use and machine readable format‘, have the right to transmit that data to another controller.

6. Privacy by Design

Privacy by Design means that data protection must be included from the beginning of system design, rather than something on top after the design.

Concretely, it means that organisations should

  • hold and process personal data only when these are absolutely needed for the execution of their (business) activities, e.g. the realisation of their mission.
  • limit the access to personal data to only those persons in your organisation who need these data to execute their tasks.

7. Data Protection Officers

For these organisations who need regular and systematic monitoring of data subjects on a large scale, or who need special categories of data, e.g. data related to criminal convictions and offences, the appointment of a Data Protection Officer will be mandatory.

8. Territorial scope

Even though one might think that GDPR is only applicable for European organisations, its reach is much broader, as any organisation dealing with data of EU-citizens is concerned. Wherever this organisation is located. Territorial scope

For more on GDPR, you may have look at this site, from which above principles are inspired. Or you may use free apps which some law firms developed specifically for GDPR, e.g. DLA Piper’s Explore GDPR, Fieldfisher’s GDPR – complete guide ; or One Trust’s GDPR Resource Center. All available for Android and iOS devices as well.

The process approach to GDPR

Basically, there are 2 main approaches on how BPM can help you to manage being compliant with the GDPR regulation:

  • manage the impact of GDPR on your existing business processes
  • think of new business processes facilitating a sustainable GDPR-compliance

A. GDPR and existing Business Processes

Process-oriented professionals, and loyal Effic-blog readers, are aware that a business process is not a goal on its own, though it is meant to serve customers, citizens, members, etc.  Hence, there is a big chance that any organisation managing business processes also deals with personal data, even not only with regard to customer data.

On the other hand, many business processes ‘consume’ personal data. Think of any sales order or delivery note in a B2C (Business-to-Consumer) context ; or any letter sent by a municipality to its citizens. Aren’t these process outputs? And are these processes not using personal data (e.g. names and home addresses – or e-mail addresses for their electronic version)?

Here are 4 steps that will help you on your way:

1. Identify the GDPR-related processes

The first thing you best do is to identify which business processes either collect, store, manage (e.g. consume or transform), or delete personal data.

GDPR - customer dataGenerally speaking, there are 2 main types of personal data, being employee data and customer data. You need to understand customer data in a broad sense, of course:  for a hospital, this means data about patients, while for governmental organisations, these are data about citizens, etc.

Hence, business processes where personal data are stored, used or processed are very often

  • HR-related processes, dealing with employee data,
  • Sales, Marketing, after sales service, distribution and other processes dealing with customer (interaction) data

2. Assess what personal data are used in these processes and by whom

Referring to the “privacy by design” principle, you will need to know for which activities more precisely you need personal data, and who from your organisation may access these data. Any other employee should not be able to access these personal data.

3. Identify personal data-related risks

Once you know which processes and respective activities are susceptible to GDPR, assess the nature of the risks which might occur to the personal data involved.

Some examples of activities with high risk are: profiling, personal assessments, decision making for staff selection, systematic monitoring of individuals, processing of personal data on large scale (e.g. by payroll engines), combination of data sets about same persons, etc.

4. Mitigate these risks – Data Protection Impact Assessment (DPIA):

Depending on the risk level, your organisation might need to apply so called Data Protection Impact Assessments (DPIA). According to GDPR, a DPIA is mandatory when:

  • Biometrics are used in the identification of persons.
  • A process uses genetic data.
  • Personal data are obtained by a third party and on that basis it is decided to provide or stop services.
  • Assessing financial solvency to determine the risk profile of the person concerned and to decide on services.
  • Processing is of such a nature that a breach of personal data could jeopardize the physical health of the person concerned.
  • The processing gives rise to a communication or making available to the public personal data relating to a large number of data subjects.
  • Processing financial or sensitive data that are (re)used for purposes other than those for which they were collected – except when based on permission or a legal obligation.
  • Personal aspects are evaluated, in order to analyze or predict professional achievements, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.
  • Profiles of natural persons are drawn up on a large scale.
  • In case of large-scale processing of personal data of vulnerable natural persons, in particular of children, for (a) purpose(s) other than tDPIA cyclehe ones for which they were collected.
  • Processing is intended to record the knowledge, performance, skills or mental health of pupils and to monitor their evolution, in particular by means of pupil monitoring systems, regardless of whether these pupils are in primary, secondary, tertiary or university education.
  • Multiple controllers are planning to implement a common application or processing environment for an entire sector, or a segment thereof, and using sensitive data.

Download here (from the EC-site) the complete description of when and how to apply a DPIA according to GDPR. This Working Party (WP 248) focuses on the processing of personal data, indeed. Here above you find the DPIA cycle, originating from this online pdf.

B. New business processes enabling GDPR-compliance

To cope with GDPR, you may need to put in place some new activities or even new processes. Based on above described GDPR key principles, one may think of following new – or more effective – activities or processes:

1. Assigning a DPO (Data Protection Officer)

If your organisation meets (one of) the criteria of the 7th GDPR key principle mentioned here above, you will obviously need to take action, i.e. to assign a DPO.

Download here (from the EC site) the guidelines on DPOs.

Needless to tell you that assigning a DPO, who will do his/her job, will have a large impact on your existing business processes. All personal data-related business processes should be assessed, and possibly redesigned, from the GDPR perspective.

2. Communicate transparently what you (will) do with personal data

Communicate transparentlyWhen asking data from customers or employees, you best proactively communicate to them what you will use these data for, how secure you will manage those, etc.

Indeed, being able to keep one’s personal data may rather seem to be a privilege with GDPR. Hence, maintaining a good relationship of trust with customers and employees will be even more important.

A well-protected self-service site – e.g. a securised extranet (for customers) or intranet (for employees) -, by which individuals can view and update ‘their’ own data themselves is not only transparent, though quite efficient as well.

3. Swiftly reply on requests “to access” or “to be forgotten”

If you do not foresee such a securised self-service site, keep in mind that you should be able to quickly deliver – or to quickly remove or destroy – the respective personal data on the person’s request. Hence, you are better prepared for this.

4. Foresee to communicate timely, in case of breach

Be also prepared for the worst case as well. Despite the high data security you put in place to protect personal data, an accident cannot be excluded for 100%. Hence, be ready to timely communicate a breach.

5. Be able to prove the consent of persons you keep data about

EvidenceKeep also in mind that your organisation must be able to prove that you got the consent of these individuals whose personal data you keep or use. Saving such evidence might thus be valuable on the longer term.

6. Data security and access monitoring

Protecting personal data should not only be against external parties, e.g. who want to ‘steal’ these data. According to GDPR, you must also protect them against persons within your own organisation whose role or activities are totally unrelated to these personal data.

Therefore, you do not only have to foresee or increase security levels against the outside world. You will have to limit access to personal data to only those employees who are supposed to need them for carrying out their job. And in case of troubles – or audit -, you should be prepared to show which measures you had put in place, e.g. role-based data access management.

 Who says new activities and processes, also says change management to facilitate and to ensure the effective implementation of these (re)new(ed) processes.

To conclude

The value of personal data will be higher than it ever used to. Before GDPR, customer data was considered – as good as – free, even somehow valueless.

One of the main consequences of GDPR, particularly when it comes to customers’ personal data, is the rise of this value. Personal data are now an asset that must be carefully protected, stored and managed only with consent, and anything but permanent.

Business processes fostering careful management and protection of these data, will be paying off on the long term. Indeed, an organization that deals with personal data in an exemplary way will gain and retain the trust of its customers and thus will obtain a competitive advantage over competitors who do not. Not to mention the probable reputational damage caused by ignoring GDPR.

Is your organisation GDPR-compliant already? If so, how did you get there? Did you use a process-oriented approach? Or which else did you follow? Please share your experience through the Comments box below.

Do you have any other question? Then please contact me via the contact form.

P.S.: Please share this information with your Facebook friends and fans, LinkedIn contacts, Twitter followers and Google+ circles, through the share buttons below. Thank you!