With its implementation in May of this year, GDPR introduced one of the most stringent and comprehensive regulations in the world today. And with fines for noncompliance of 20 million euros, or 4% of annual turnover, companies cannot afford to take the regulation lightly. But compliance itself is costly. What to do? Robotic process automation – or RPA – may be the answer! With its ability to manage repetitive, rules-based tasks, RPA can help reduce administrative costs and avoid processing errors…and companies might actually realize some additional unexpected benefits as well.
GDPR, the European regulation on data protection and privacy (and whose letters actually stand for General Data Protection Regulation), aims to make enterprises more accountable for the protection of EU citizens’ personal data. In a stark deviation from the earlier data protection directive, GDPR places data protection responsibility on both data controllers and processors. The following figure provides a comprehensive view of GDPR and its many requirements.
Since GDPR became legally binding on May 25, 2018, it has brought the discussion around privacy of personal data to the forefront. It has mobilized data subjects to action, and enabled them to play a pivotal role in ensuring protection of their personal data, while holding enterprises accountable for any data breaches or non-conformity to data subject rights as provided by GDPR.
GDPR has received a lot of flak since it was approved by the EU Parliament in April 2016. Common complaints focus on the enormous fines associated with non-compliance – 2-4 percent of the company’s annual turnover – and the high cost of compliance, which could reach up to millions of dollars.
Given the hefty fines, one would expect enterprises to be shaking in their shoes and adopting a more proactive approach in complying with all of GDPR’s requirements. However…
Enterprises are Taking a Blasé Approach to GDPR
…More than a month past the deadline, enterprises’ response to GDPR compliance remains lukewarm. Consider the following comments from Everest Group clients:
“25th May is not the end. In many places, it starts off the journey to data privacy. We are in a good position, but we still have a lot to do after the 25th.”
– Director of Transformation at a financial institution
“GDPR involves huge amount of money, and I am not sure if it’s necessary. I don’t know what we are gaining from it, or if it offers any value to the organization. We could be spending the same money elsewhere for more value.”
– Head of Platform Delivery at a leading financial institution
Our GDPR research with enterprises across verticals and regions suggests that enterprises are not breaking into a cold sweat and are adopting a strategy based on minimum viable compliance. As counterintuitive as it might sound given the high cost of non-compliance, 90 percent of enterprises are adopting a “wait-and-watch” or “good enough compliance” strategy. They are making basic remediations to existing systems and processes, while exerting caution in making heavy investments towards compliance.
Of course, there are region and industry specific variations. U.K. enterprises are way ahead of the curve than their counterparts in the Middle East. B2C businesses are adopting a more proactive approach than B2B firms. Still and all, most enterprises embarked on their GDPR compliance journey only a few months before the legally binding deadline, leaving a lot unaddressed, untouched, and unfinished. In fact, our research revealed that only 10 percent of enterprises were compliant with all the requirements of GDPR before the deadline.
A Golden Opportunity to Build Trust
Even before GDPR, enterprises had to comply with a series of regulations affecting different aspects of their business, including personal data. Today, enterprises perceive GDPR as an ongoing part of business-as-usual. This assumption, though flawed, is leading them to believe that a simple approach focused on demonstrating their intent to comply, rather than actually being compliant, will be enough to evade the hefty non-compliance fines.
However, by basing their GDPR strategy on such assumptions, enterprises are exposing themselves to reputational and financial risks. There is no dearth of examples to support this viewpoint. Data breaches were a significant factor responsible for both Uber and Yahoo’s drops in valuation. Adobe had to pay US$1.1 million in legal fees and an undisclosed amount to users to settle data breach claims. With the Cambridge Analytica scandal, Facebook’s stock price plummeted, and the court summons only darkened the existing stain on firm’s reputation.
Data breaches have made today’s digital world deficient in trust. By choosing not to invest in GDPR, enterprises are losing out on a golden opportunity to build trust with their customers and stakeholders, and make their security systems/data protection methodologies robust.
Further, if, as expected, GDPR inspires other economies to introduce similar data privacy standards, compliant enterprises will benefit in the long run and enjoy seamless access to the global markets. Hence, a piecemeal approach to compliance will derail enterprises’ train, and slow their ride to the global opportunities provided by the data powered economy.
For a detailed view of enterprise GDPR priorities and investments, along with leading service provider capabilities in driving compliance, please download our report entitled GDPR Services: Gross Disconnect in Perception and Reality – Services PEAK Matrix™ Assessment 2018.
Were you as riveted as I was by Mark Zuckerberg’s testimony about the Facebook-Cambridge Analytica scandal?
Here are my key takeaways on the future of the services industry supporting social media and the increasingly digital world.
Data is the New Currency
We are hurtling towards a truly digital economy where data is the key commodity. In such an economy, companies with access to data and, more importantly, the ability to make sense out of it through analytics tools will reign supreme.
It is not difficult to imagine a world where most corporate movements and conflicts center around data – lack of it, desire to access it and acquire better analytics tools, improper/unethical/overuse of it, and inadequate protection of it.
Internet of Things (IoT) and Social Media Will be Mines, but Not Necessarily Filled with Gold
Internet of things and social media platforms can capture zillions of data points, and will potentially be important tools that supply this new currency to the ecosystem. However, market success will depend heavily on who has the business acumen and analytical power to churn data into insights and useful products. This will apply across sectors, but will be critical for BFSI, CPG, retail, and healthcare segments.
Data will not just be hard, like names, addresses, and IP addresses. It will also be soft, such as sentiments, propensity to buy, satisfaction, and the likelihood that a given customer will be a leading adopter. IoT and other data capture/analysis tools will need to change rapidly to accommodate these factors. Whether the claims of Facebook storing 29,000 data points on each individual are true or not, the data it does store keeps track of not just actions but also interest and intent, e.g., browsing but not actually buying a product.
Safeguarding Data Will be Critical – for Companies and Countries
In this new world, data security will be paramount – akin to safeguarding money! That makes cybersecurity a critical prong of a digital strategy.
The U.S. legislative bodies have demonstrated considerable interest in introducing new legislation oriented around this new data economy. My expectation is that the U.S. will mirror the EU General Data Protection Regulation (GDPR,) at least in intent and punitive measures, although the exact tenets may differ, and may be more expansive.
In order to continue to be amenable, operating locations for U.S. and European firms and their back-and middle-offices and IT centers, offshore services delivery countries like Argentina, Costa Rica, India, the Philippines, Malaysia, and Mexico will have to mirror the EU GDPR and U.S. regulations, and upgrade their data protection laws.
The Cold War has Gone Digital
Alleged Russian interference in the Brexit vote and the 2016 U.S. presidential election, purported hacking by Western nations into Iranian nuclear reactors, political propaganda on social media, and the umpteen social media wars fought by even governments and elected officials all mean one thing: the Cold War has now gone digital. Against such a backdrop, technology and digital tools have come out of the back rooms of global businesses and into the front rooms of politics and governments.
With their strong emphasis on digital, we foresee governments increasingly investing in it to out-compete other countries. We also expect the public sector to increase their investments in cybersecurity.
Rise of Content Moderation as an Industry
Huge emphasis will be placed on a breadth of content moderation services – this includes content review, sentiment analysis, context analysis (e.g., distinguishing between hate speech and valid political dissent), and moderation.
While content moderation was previously viewed as low-value and transactional, the intense heat that social media platforms are facing will change it into a far more important process that involves a fair degree of decision-making. We might even see the most complex streams of content moderation leveraging legal professionals as agents. See my next point.
Increased Regulatory Oversight on Social Media Content
Because of the huge impact of social media content on almost everything in today’s world – politics (e.g., Brexit and the U.S. elections), the economy (e.g., Snapchat losing US$1.3 billion after a tweet by Kylie Jenner), entertainment, sports, and arts – content moderation will become a heavily regulated and watched process. Liabilities from social media fails will typically run into billions, and so will penalties.
Senator Ted Cruz raised a question related to the political leanings of moderation agents themselves, bringing into focus the larger issue of biases. Over-moderation will also be under scrutiny, meaning that content moderators will need to walk an extremely thin line.
Exploding Portfolio of Languages
With the explosion of social media across the nooks and crannies of the world, content moderation capabilities will need to keep pace. Facebook already has a team of up to 20,000 professionals moderating content, and that number is bound to leap up significantly in the near term, until AI and automation become smarter.
In our work with global service providers, we are seeing a huge ramp-up in demand for content moderation teams across all developed and emerging markets, and even for languages that were not previously supported by contact center or BPO service providers in any meaningful scale. Mark Zuckerberg himself gave the example of the need to increase Burmese language moderation due to the Rohingya crisis.
The trick for service providers to be successful in such as market will be to have a ready map of where they might be able to access just about any language in just about any kind of scale, because no one knows where the next crisis and related social media content may erupt.
Critical Role of AI and Automation
Finally, but probably the most critical game changer in all this, is the role of AI and automation. At a point it will no longer be financially prudent to support the content moderation process with a people-intensive model, especially with the potential demand that can arise in a matter of hours in languages that are traditionally extremely hard to support. In such a scenario, companies with natural language processing and sentiment analysis tools that can make increasingly smarter decisions related to content management will be successful. Service providers and technology vendors that can develop such tools will find a ripe market to sell into!
While human judgment will still be required, IT tools can potentially be trained in an unlimited number of languages and dialects to take care of the bulk of business as usual content.
That’s as far as the eye can see today. But we are poised to see an exciting new world where entirely new tussles lead to some companies emerging as winners and others fading into obscurity as losers.
I would love to hear your thoughts on this topic, so please feel free to contact me at: [email protected].
A week ago, Facebook CEO Mark Zuckerberg said the company intends to bring the same privacy and controls mandated by the new European Union data protection law to all its users. That statement accorded the highest standards of protection to the EU-General Data Protection Regulation, which is widely considered as too draconian. The reference to GDPR by Facebook—that is in the midst of a raging controversy over data leaks—may have softened public perception of it but for Indian companies, , compliance remains a tall order.
Experts believe GDPR will be a net plus for the IT industry. “What is clear is that significant work will be required and clients will have to utilize their IT vendors to accomplish this work (of transitioning to GDPR),” said Peter Bendor Samuel, CEO of IT consultancy Everest Group.
The European Union’s General Data Protection Regulation (GDPR) goes into effect in just two months. Designed to ensure that organizations protect the personally identifiable information of individuals, this new set of rules is the most important data privacy change in two decades, according to the EU’s own GDPR web portal. While much of the responsibility for adherence falls to compliance and information security professionals, IT leaders must also understand the impact of GDPR – not only the requirements and risks associated with non-compliance, but also the resulting changes in data collection and governance.
In order to adhere to GDPR requirements, companies must figure out all the ways they gather and store the personally identifiable information of EU citizens, says Eric Simonson, managing partner with management consultancy Everest Group.
Everest Group’s March 22 symposium, Thriving in a World of Perpetual Change, brings together industry expertise and rich resources to help you identify practical strategies to thrive in a time of global disruption. Join us as we explore ways leading enterprises are planning and organising to take advantage of disruption to improve outcomes.
About the event
Ongoing global disruption – in the form of economic uncertainty, political upheaval, legal/regulatory change, and technological development – is forcing the global services market to completely transform how service delivery is organised and executed. Keeping up with the latest developments is difficult enough, let alone understanding and planning for potential consequences.
What you will see, hear, and learn
- Findings from our first ever assessment of how leading organisations are achieving Pinnacle, or best-in-class, status in leveraging Robotic Process Automation (RPA) in their service delivery organisations
- Early findings from our RPA Technology PEAK Matrix™ 2018 research
- Predictions for how the global services market will evolve in 2018, including demand trends, impact of RPA and other technology trends, digitalisation, the service provider landscape, delivery locations, vendor management and pricing, GDPR, and more
- A panel discussion about what organisations should do to survive in a changing world
The programme will be followed by a networking session industry colleagues and Everest Group analysts over drinks and canapes.
Thursday, 22nd March, 2018
3:30 to 7:00 pm
Last year’s event exceeded capacity very quickly – register today to save your space!
The UK and Ireland are in the crosshairs of some significant economic, geopolitical, and technology forces: the perfect storm of Brexit, GDPR, and digital developments is bearing down on the region, potentially changing the service delivery landscape as we know it today. How will these forces impact global services in the region, and are there any silver linings in these storm clouds?
With just seven months to go to the General Data Protection Regulation (GDPR) compliance deadline, many companies still have wholly inadequate data management capabilities. Strict requirements for personal data security, privacy, and the right to erase, among other things, will cause severe headaches for many CIOs not only in the EU but in all regions, as organizations will have to know which data is and is not subject to the regulation, and where in the world it is stored.
Download our special complimentary report: EU GDPR: Is There a Silver Lining to the Disruption?
No doubt many complex and conflicting scenarios will arise out of GDPR. For example, consider the following data-related issues:
- When a request to be forgotten comes in from a customer, how will the organization find all the occurrences of the same data across the vast enterprise IT estate?
- Will public and private cloud and other infrastructure providers be able to handle the requirements in a timely manner?
- What would be the knock-on effect of a customer asking for his/her data to be erased? What systems will be affected and how would that effect audit trails and other regulatory requirements, such as maintaining company-related data for audit purposes for several years?
These and a multitude of others will take many more years to understand, get guidance on, and resolve. In the meantime, companies must be compliant, or face fines that are the greater of €20 million or 4 percent of global annual turnover.
For those organizations that have not yet prepared for GDPR, the overheads of data management are increasing significantly. For example, they must figure out how to best obtain and maintain personal consent, handle access requests, process revocation of consent and requests to be forgotten, train personnel to know what they can and cannot do with data under GDPR, ensure outsourced services, cloud providers, other suppliers, e.g. in the supply chain, and partners are compliant, and run audits to check the readiness and effectiveness of the provider/supplier/partner ecosystem.
This is where, with its rules-based bots, Robotic Process Automation (RPA) could prove to be God’s gift to the laggards. Scenarios where RPA could be ideal include, but are not limited to:
- Running audits of data against consent and revocation databases for compliance
- Checking a queue of in-coming consent or revocation requests, and acting upon them, e.g., setting the right flags in systems or actively deleting data while maintaining an audit trail
- Producing audit reports
- Propagating changes of personal data and related consent across all the systems that hold that data, by cutting and pasting updates and maintaining consent-related databases
The role of AI
As organizations collect more and more GDPR-related data, Artificial Intelligence (AI) solutions could come into their own by helping with risk and impact analysis and reporting:
- How many systems will be affected by a GDPR consent and access related change?
- What is the knock-on effect on workloads and audits trails? How do these affect other regulatory requirements of data retention?
- How many systems will be affected, and what would be the impact on operations and other legal and regulatory requirements?
- What is the data security threat level of the day? What is the likelihood of data breaches on a daily/hourly basis, and what preventative measures could be taken?
- What security breach has happened and what actions have been taken? Who has been affected by it and must be notified?
Additionally, good governance is an imperative for GDPR. RPA and AI can be used to embed governance in daily operations for enforcing and monitoring purposes.
A new era of data protection is upon us. It is coming at a time when, some would say, that companies have taken far too many liberties with their customers’ data. The full implications for businesses are yet to be understood. But we believe that all organizations that hold or process personal data will experience some disruption in service delivery as a direct result of GDPR. For more on Everest Group’s point of view, please see our latest free publication: “EU GDPR: Is There a Silver Lining to the Disruption?“
The high entropy data protection space has once again gained headlines after Equifax, the U.S- based consumer credit reporting agency, revealed that a July 2017 theft compromised more than 143 million American, British, and Canadian consumers’ personal data. The data breach incident, one of the worst cyber-attacks in history, was conducted by hackers who exploited a vulnerability in the company’s U.S. website and stole information such as social security numbers, birth dates, addresses, and driver’s license numbers. (Equifax maintains and develops its database by purchasing data records from banks, credit unions, credit card companies, retailers, mortgage lenders, and public record providers.)
Much about the situation would have been considerably different had this breach happened after May 2018, at which time the General Data Protection Regulation (GDPR) – a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU) – goes into effect. Even though it is not headquartered in the EU region, Equifax would have come under the purview of GDPR, because it maintains and reports the data of British citizens. And the stringency of requirements and degree of implications would have been significantly higher for the credit rating agency.
Although not directly related to GDPR, another significant business impact is the sudden “retirement” of Equifax’s CEO less than three weeks after the breach was announced.
This massive cyber-attack is a wake-up call for the services industry. Starting today, operations and businesses must regard data protection regulations with the utmost importance. Non-compliance will not only harm firms financially, but also expose them to brand dilution and business continuity risks.
Some of the key imperatives for enterprises operating in the ever-so-stringent data protection space include:
- Know and understand the data security laws under which your enterprise falls, especially those such as GDPR that have far reaching impacts
- Redesign your business processes to incorporate privacy impact assessments to identify high risk processes
- Implement necessary changes in the contracts with third parties to incorporate the stricter requirements of consent
- Achieve process transformation to inculcate privacy by design; this includes risk exposure reduction by technological changes such as data minimization
- Appoint a Data Protection Officer to align the business goals with data protection requirements
- Make suitable changes in contracting and governance practices to ensure adequate emphasis on data protection
To learn more about the strategic impact of the EU GDPR on the global services industry, please read our recently released viewpoint on GDPR: “EU GDPR: Is There a Silver Lining to the Disruption.”