On 14 April 2016, the European Union (EU) approved the General Data Protection Regulation (GDPR), making it a law to replace the data protection directive 95/46/EC. The objective of developing a new privacy law was to harmonize data privacy laws across Europe, protect and empower all EU citizens of their data privacy and reshape the way organizations across the world approach privacy.

GDPR applies to all organizations involved in processing data of EU citizens anywhere in the world. Non- compliance with the regulation may result in fines up to €20 million, or 4 percent of overall global revenue of organizations processing personal data of EU citizens.

The GDPR, which came into force on 28 May 2018, is seen by many businesses as an obstacle to their smooth functioning. With organizational data having multiple entry points, data flowing from one process to another, data processing through various applications, and data stored across various databases, important question organizations face is a means to ascertain where personal data resides within their system.

GDPR: Implementation roadblocks

According to a survey conducted by crowd research partners in April 2018, it was projected that almost 60% organizations were at risk of missing the deadline for GDPR implementation. As part of the survey, organizations highlighted the following as the primary challenges for complying with the regulations:

• Lack of expert staff (43%)
• Lack of budget (40%)
• Limited understanding of GDPR regulations (31%)

The survey also highlighted that almost 56% of respondents expected their organization's data governance budget to increase in order to deal with the GDPR challenges.

GDPR has forced data privacy officers/ information security officers and boards of various organizations to redefine their data privacy strategy and to comply with the requirements of the regulation. Its adoption has become the biggest challenge for a majority of organizations, with effective implementation of controls and adherence being the major roadblocks. Organizations need to understand and track how personal data is being collected, processed, and stored.

GDPR has introduced certain key aspects, which organizations will have to consider while defining their implementation strategy. In most cases, organizations will have to perform the entire process of reaching out to respective business processes manually, and understand from them the various sources from where personal data gets collected. The process of gathering this information will be repetitive and will involve additional work-force and time to perform.

Automation to the rescue

How is it then that organizations can overcome this manual activity and in turn save time and workforce involvement? The solution to this seemingly daunting task lies in automating the manual processes that integrate with organization business processes, systems, and provides a deep dive view of all data and storage points.

Wipro has been successfully developing models and strategies for clients to reduce their operational cost and workforce, with its Enterprise Operations Transformation framework. Robotic Process Automation (RPA) is a major lever of the EOT framework and is capable of handling high-volume, repeatable tasks. RPA can assist clients to automate their GDPR journey by managing several critical aspects to comply with GDPR requirements such as:

1. Personal Information Management

• Identify- Mapping of existing data and new data across various business processes
• Classify- Assist in classifying personal information across the organization based on its sensitivity
• Erasure- Upon request from data subject for deletion of personal information across organiza-tional systems, the system may effectively track where the personal information resides and can be automatically be deleted
• Anonymous- Use a pseudonym or tokenize personal information wherever required

2. Consent

A third-party application can be integrated with RPA solution for customer correspondence and consent management.

3. Breach notification

Notify data subject of data breach within 72 hours in case any breach has been noted.

GDPR compliance through SAIX

At Wipro, we understand the challenges that organizations face while adhering to GDPR and are committed to transforming our clients’ GDPR compliance journey by automating the most complex tasks of data inventory management, consent management, data portability request, and data breach monitoring through our framework.

As part of our transformation offering, we rely on “SAIX” model for defining solutions for our clients. “SAIX” stands for:

• Simplify- Standardize, Digitize, and Streamline processes
• Automate- Reduce the number of manual, rule intensive, high transaction based tasks and processes
• ntelligence- Incorporate actionable insights into organization business processes DNA with predictive and prescriptive analytics
• Experience- Reimagine the experience based on customers and internal stakeholders

Here is how the SAIX model aligns with the GDPR compliance automation (Figure1).

Wipro’s 4 phase approach

Wipro can help its customers automate their GDPR compliance journey in four phases:

Gather

• Understand the type of personal data being processed
• How users are granted access to data and application
• Understand how data inventory is managed

Pre-assessment

• Wipro will assess the current state of the organization, based on the GDPR requirements and will accordingly suggest areas of improvement

Design

• Develop an implementation roadmap
• Define security requirements to be embedded
• Define rules based on data sensitivity and holding period
• Define customer portal view based on region and type of information collected, process, and stored data

Post-assessment

• Post implementation of GDPR automation solution, Wipro can help clients either perform a one-time assessment based on GDPR requirements under the compliance-as-a-service framework, or can perform a periodic review on the current state of organization controls based on GDPR requirements, and suggest recommendations if any.

Conclusion

Automation for GDPR compliance will help organizations:

• Seek explicit consent on the data set identified for collection, processing, and storage
• Adequate data management through logs
• Maintaining adequate data inventory providing details of applications and databases where personal data is stored
• Pseudonymisation/ tokenization of personal data
• Face any regulatory audit effectively

Vinit Sinha - Associate Vice President – Compliance-as-a -Service, Wipro Limited

Vinit is an information security, data privacy and cybersecurity professional with over 12 years’ experience into operations, consulting and auditing information security/ cybersecurity standard and framework. Vinit drives Wipro’s endeavor of enabling organizations to strengthen their control environment to prevent data breaches and cyber-attacks. Vinit has deep domain understanding from varied experience serving across IT/ITES, business process management, telecom and others on developing effective risk management strategies.