Jeff Nicholson, Vice President, CRM Product Marketing, Pegasystems, in this article, explores how businesses can prepare for the upcoming GDPR legislation deadline
It’s May of 2018, and the effective date of the EU’s General Data Protection Regulation (GDPR) is now just around the corner. But are businesses really ready? And what does readiness mean when it comes to addressing the most basic levels of risk?
As of just a few months ago, only one-third of businesses across the globe said they had a GDPR plan in place according to the Global Forensic Data Analytics Survey from EY. Surprisingly, even in the EU, 40% of organizations remained unprepared.
To comply with the GDPR you need to not only have your plan documented, but have a way to execute it — and prove you executed it. And you will in all likelihood, need to be able to do all of this at scale.
One of the major questions being asked right now is, how much volume should businesses expect? Some organizations may be thinking they’ll be able to deal with the upcoming volume of GDPR requests manually, but a recent consumer survey from Pegasystems sheds some light. Pega surveyed 7,000 residents across the EU and found that 82 percent of consumers say that they plan to act upon the new rights given to them by the GDPR. This serves as an important wake-up call for businesses still mulling over their readiness strategy. No one is sure right now how stringent regulators will be in enforcing the letter of the law, but with potentially millions on the line, few can afford to wait and find out.
Unfortunately, when it comes to enabling technology, there is not a single, comprehensive off-the-shelf piece of software that will automagically solve all of your GDPR problems out of the box. Why not? Simply put, nearly every business is planning on solving their compliance strategy differently. Their legal council is expressing their own interpretation of legitimate interest, and where and when consent may be required. And the set of data infrastructure that each company possesses is ultimately vastly different.
This is why it is not a question of whether you have a system to manage the GDPR. It will be whether you have “a system to manage the systems.” The gap is not that you don’t have a data management system or a CRM system. It’s that you have data everywhere, and multiple CRM (and related) systems — often 50 or more locations where customers’ personally identifiable information (PII) is held. And unfortunately, much of this infrastructure is not connected because it never had to be, until now.
Your GDPR challenge, when it comes to risk-readiness, is one of orchestration. Of having a system, to manage the systems. To close this gap, many are now using technologies such as “dynamic case management” for the orchestration of GDPR processes. This not only allows businesses to rapidly document their process but in doing so, also establishes the very automation that will carry that process forward across their organization, all while providing a complete audit trail to prove their policies were adhered to.
Using this approach businesses can configure their interpretation of compliance often in just a matter of days (for the most simple) to a handful of weeks (for the more complex). The moment the process is documented, it is enabled for being operationalized and reported. And when done properly, breakthrough technology such as robotic process automation and robotic desktop automation can then enable rapid integration of a business’ disjointed systems and databases that would otherwise remain out of reach.
So yes — it really is possible to achieve GDPR risk-readiness by May 25. And no — it does not have to be as hard as you think.