Process Management: Propelling Businesses Towards GDPR Compliance

The General Data Protection Regulation (GDPR) is a popular topic among businesses around the globe. The law was originally introduced and adopted into place on April 27, 2016, and allotted a two-year post-adoption grace period for businesses to meet compliance regulations. The formal enforcement date for fining non-compliant organizations took effect on May 25, 2018. Through a survey completed by BPTrends, a firm that tracks process modeling trends, information was gathered that in some cases European businesses surpassed U.S. businesses on GDPR compliance by up to 500 percent. The conclusion was drawn that European businesses were more prepared due to their sophisticated business processes. However, it should be noted that many European- and U.S.-based businesses are adopting GDPR standards as good practice.

Business process management (BPM) entails how businesses study, identify, change and monitor business processes and modeling to ensure that they run smoothly while improving those processes over time. The data from the BPTrends’ report shows that no North American organization in 2017 had spent more than $10 million on business process work or improvements. Meanwhile, five European companies had spent from $10 million to $50 million, with one organization investing over $50 million. Process management can assist both European and North American companies in their processes when they become GDPR compliant, however, the emphasis on processes in Europe explains why those businesses are much more prepared.

With any organization looking to become GDPR compliant, processes must change to better protect the organization and implement new workflows. New plans must be drawn up for each organization. These plans must be documented and communicated to internal stakeholders, thus creating new processes. Much of the focus around the GDPR has been on data and data protection, rather than on processes that take place, which are equally as important for companies that are affected by the regulation. Keeping up with the tracking and reporting required to achieve regulatory compliance can cost organizations considerable time and resources. Without an efficient system, it’s no doubt that an organization could easily fail to maintain compliance or efficiently keep up with internal deadlines that may require consent under the GDPR. For example, some of these processes might include ways in which an organization deals with a data breach, documents that breach, and secures its systems to prevent future problematic implications. The way a business handles consent and data management in compliance with GDPR is all through their internal processes.

Well-functioning process management is essential when it comes to avoiding monetary penalties, yet many organizations don't see this as self-evident. A BPM system gives businesses the tools they need for rapid reaction to regulatory change. Compliance management is thus made easier, and complex rule sets are replaced by compliant and functioning processes. A BPM system is able to identify regulatory violations and risks in daily processes, ensure employees are correctly carrying out critical decisions, incorporate compliance changes into processes, and ensure seamless traceability of new processes.

For example, any company that conducts business in the EU or with EU citizens, otherwise known as “data subjects,” must be within compliance. For a company like Cola-Cola that does business internationally, the processes of compiling and storing its customer data must be addressed. The GDPR states that any company posing a risk to EU data subjects can be fined up to 4 percent of their global revenue or $20 million, whichever is greater. If Coca-Cola was to experience a data breach of this information, it could potentially be fined up to $1.1 billion, based on its 2017 revenue of $35.41 billion.

Process optimization not only prepares these companies for GDPR, but provides workflow acceleration and process intelligence. All are critical with successfully implementing new GPDR regulations within an organization. Some basic operations of a BPM system include defining framework based on legal and standardized requirements; identification, documentation and prioritization of risks; and assessing controls with supporting processes and procedures, as well as test activities. Implementing these workflow processes to manage risk and controls is of the most importance, as it allows for a business to monitor and report while continuously improving.

Effectively translating strategy into action is the cornerstone of business transformation, and using a BPM system assists in creating positive behaviors and mitigating threats businesses will encounter as they embark on their journey to GDPR compliance through process management.

Mark Holenstein is the chief operating officer at Signavio, a web-based process and decision management company.