EU General Data Protection Regulation - no reason to panic!
6 Possible applications for GDPR-compliant processes
It entered into force on 25 May 2016: The General Data Protection Regulation -GDPR. Now, two years later, it will come to force and replace the existing Data Protection Directive 95/46/EC. It will not completely change the data protection law within the European Union, but it will further tighten and standardize it. In practice, this means a considerable effort for all those who work with personal data.
For companies, new transparency and information obligations are derived from this, which must already be taken into account when introducing or exercising new technologies or working methods (privacy by design/by default). You must therefore document exactly which data is stored in a process by a person, who can call it up and delete it if necessary and prove that these steps have been taken. Violation of the new requirements could result in severe penalties of up to EUR 20 million or 4 percent of total global annual sales. Compliance is monitored by the EU data protection supervisory authority and the courts.
Digital tools and technologies based on digital processes and comprehensive workflows can help to reduce manual additional work and costs. Conversely, automation creates traceability and security for all involved. We have selected six examples of GDPR-compliant digital processes with JobRouter® to illustrate this added value:
Requested data inspection
Companies are obliged to disclose all stored, used and processed personal data upon request of the customer. This can be very time-consuming for a large number of customers and prospects, blocking valuable resources and damaging the relationship with the customer if processing times are long.
A JobRouter® process automatically compiles this data - also from different sources (systems, databases) - and transmits it directly. For example, the process could be initiated fully automatically via a form on the website, which would greatly reduce processing time - the customer would have security over his data and the company over the fulfilled information obligation.
Requested data deletion
Furthermore, the customer or interested party can request the deletion of his personal data. The company is obliged to ensure and prove this.
A JobRouter® process makes this easy to realize: It controls these steps automatically and finally sends a confirmation e-mail to the applicant. JobRouter® checks which data is stored in connection with the person, where they are located and how or by whom they were used - as well as during the requested data inspection. These data/documents can then either be deleted automatically or alternatively logged and output by an administrator.
Automated data deletion
Companies are also obliged to delete personal data and documents (e.g. applications) after a certain period of time. This can vary greatly depend on the circumstances and would mean an immense additional effort when administered manually. Because data in the enterprise is often shared, forwarded, and stored in multiple locations (mailboxes, folders, boxes), it is often unclear where the data and documents actually exist. This makes it extremely difficult to delete data completely in accordance with the Data Protection Regulation.
JobRouter® can be used to handle processes such as application management completely in one platform and send files to employees, save them and delete them as soon as the legal retention period is reached. It is possible to black out critical content for certain employees or to incorporate further release levels. Thus, all data is always administered in JobRouter®, does not leave the system and can be managed automatically. The company does not have to take care of administration, but receives full security and control.
System-wide data deletion
The larger the company (number of employees, branches, divisions, software solutions), the more difficult data control and transparency becomes. With the GDPR, there is still no group privilege. For groups of companies, the transmission of data for internal administrative purposes is recognized as a predominantly legitimate interest (recital 48). In order to centrally monitor, manage or delete this data, companies would either have to invest a lot of time or find a solution that could automate these steps.
With JobRouter® as a central platform, automated workflows can be set up that retrieve and delete information from various systems and databases at predefined times. It is possible to differentiate between data quality and the obligation to delete data and thus to gradually thin out the data master until no more personal data is available. For example, it can be very useful to delete the credit card information or bank details of the buyer after a payment success, but also to store purchase information for warranty purposes until the cancellation period. With JobRouter®, this challenge can be met very easily and cost-effectively by means of simple time control and consistent data maintenance within the corresponding systems.
Automation of data provision & updating
A company's increased duty to provide information does not have to be interpreted exclusively negatively: This also opens up new opportunities for customer care and communication, for example by informing customers actively about what data the company has stored and uses or will need in the future. More and more companies are offering portals in which applicants/customers can register and store their profiles. In order to be able to continue to store information after successful interactions or to supply interested parties with news, companies must obtain the consent of the users.
This and similar processes can be implemented very well with JobRouter®. After a predefined time, an automated e-mail or message is sent to the interested party with information on the available data. This can be used to enquire whether the customer wishes to continue using the services and, if necessary, to provide further data. Without additional effort, the company can thus create trust through data transparency and open communication and increase customer satisfaction - while not only complying with the provisions of the EU DSGVO, but also taking advantage of them.
Audits trails & documentation
The new regulation extends the previous prior check on data protection impact assessment and risk analysis if the form of data processing "is likely to pose a high risk to the rights and freedoms of natural persons because of the nature, scope, circumstances and purposes of the processing" (Art 35, DSGVO). It shall contain at least a "systematic description of the planned processing operations and the purposes of the processing, including, where appropriate, the legitimate interests pursued by the controller".
Regular audits and good documentation of all processes, those tasks are being simplified for people responsible for or involved in the process. All JobRouter® processes are documented at all times and contain all information about the planned process flow, process access and all subsequent steps. This means that all processes can be certified without additional effort and thus simplify the audit obligation. Audits can be successfully carried out and completed within a few hours.
GDPR - Short facs
This Regulation lays down „rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data“ (Art. 1 para. 1 GDPR) and thus „protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.“ (Art. 1 para. 2 GDPR) and the free "movement of personal data" (Art. 1 para. 3 GDPR). These provisions apply equally in all EU member states and thus supersede existing regulations. Therefore, the GDPR is directed to all those who access, process or store information provided by EU citizens. Furthermore, any data traffic concerning data from the EU may only be stored on servers within the Union.