Equifax’s huge security breach rarely left the headlines last year, after 145 million customers from the US, UK and Canada had their personal data stolen by hackers. The fallout from the hack has been catastrophic for Equifax, with the credit reporting bureau reporting a 27% YoY fall in profits ($87.5m). It was also heavily criticised for waiting months to disclose the breach to the public, and then again when it revised up the number of those affected and the types of data potentially lost.
While it remains to be seen how the hack will affect Equifax further down the line, what’s clear is that its response wouldn’t have been compliant with the European Union’s General Data Protection Regulation (GDPR), due to come into force next month. This new set of rules is designed to hold companies accountable for the protection of consumer data. It includes guiding principles that require companies to take 'reasonable' measures to safeguard data, and also to notify consumers when there’s been a potential breach within 72 hours – not several months later.
While businesses have been scrambling to prepare for the sweeping changes in how they store and manage customer data, there is still a lot to do before the law comes into effect on the 25th May, from appointing a Data Protection Officer to putting policies in place to ensure compliance. Most people are looking at GDPR from a security perspective – after all, it is about “data protection” – but there’s also a significant role that big data and analytics can play to help companies meet the stringent new regulations.
Non-compliance with GDPR has severe consequences, ranging from fines of up to €20m or 4% of a company’s annual revenue (whichever is greater) to perhaps more damaging effects on brand and reputation. To avoid these costly penalties, businesses need to ask themselves – and make sure they can answer – important questions such as:
- How good is our understanding of the type of personal data that we are processing?
- What data have we been given permission to process for which activities?
- Can we explain the purpose of each instance where we’re using personal data?
- Can we demonstrate compliance to data subjects (i.e. customers) in a timely and efficient manner?
To answer these questions, organizations need total transparency into every activity that impacts the processing of personal data. They need to establish a full record of activities and map out the business and functional processes for using personal data and provide continuous reporting to ensure compliance. For most large organizations, this can be a daunting task. The volume of data and the complexity that comes with tracking how it’s used is too complex to manually unravel and record.
To help them manage this regulatory minefield, businesses are turning to new data analytics solutions, such as process mining. This technology taps into a company’s event logs to reconstruct the journey that their customers’ data takes through their organization. After analyzing their data, the business can get a visual map of where personal data is coming from and where it’s going so that they can assess whether their organization is within the defined lawful grounds for processing.
Driving efficiencies in processes
Understanding how data is processed can be tedious and error-prone. But by using process mining, organizations can reduce the time it takes to analyze the flow of data and get a clear view of the way that processes really work. With steep fines and potential for irreparable damage to a brand, full transparency into all processes related to personal data substantially reduces risks and makes it easier to demonstrate compliance to the executive suite, board of directors, regulatory bodies and customers. And, while many companies have clearly defined best-practices for their business processes, the reality is that there will always be variations that occur and create inefficiencies. Process mining can provide a comprehensive picture of real process flows, equipping an organization with the knowledge needed to identify and resolve inefficiencies, and generate additional value.
Businesses can’t afford to wait any longer to prepare for GDPR, as the consequences of noncompliance could be catastrophic. But there’s a positive impact that can come from this preparation wherein organizations can use GDPR as a trigger to transform their business processes and become more efficient. Technologies such as process mining can give companies the ability to accelerate their journey towards GDPR compliance, while also identifying opportunities to improve efficiencies that delve much deeper into their operations.