GDPR and data protection in RPA projects
When it comes to robotic process automation, the hottest topics are the potential threat to the job market and the issue of data protection in the context of RPA projects.
We have discussed the first issue on several occasions, including in the article “Robot as a threat or opportunity for job market?” and during lectures at the Robotics University. So this time we want to focus on the second issue. Particularly due to the fact that robotic process automation is the perfect answer to the problems with data protection in the broad sense of the term.
Why is data protection in RPA projects of such a great importance?
First of all, the threats are real and have been mentioned it a number of times. According to ZFODO’s report “Incydenty Ochrony Danych Osobowych 2021” the sectors that are particularly at risk of data protection breaches include:
The report, which was conducted among nearly 400 companies, found that nearly 70% of data breach incidents were not reported to the Data Protection Regulator. The most common type of a data breach was a disclosure of personal data to the unauthorised recipient.
The number and severity of incidents is growing fast. In addition to unquestionable benefits to companies, digital transformation also has its darker side related to large amounts of data that needs to be protected.
GDPR as a universal guide
In the European Union, the best reference point in this respect is the so-called GDPR, officially known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC.
Although the GDPR only applies within the EU, it is generally recognised as an excellent example of good practices related to the processing and protection of personal data.
Principles of and and rights under the GDPR
The GDPR assumes a number of fundamental principles, including:
- Lawfulness – personal data processing must be carried out in accordance with the law, respecting the rules established by the legislator in normative acts.
- Fairness and transparency – the data controller is obliged to provide clear and precise information in all matters concerning the data subjects.
- Purpose limitation – the purpose for which personal data is collected must be clearly specified, explicit and legally justified.
- Adequacy – personal data must be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
- Accuracy – personal data processed must be accurate and updated if necessary.
- Storage limitation – the data controller is obliged to limit the processing of personal data in time.
- Integrity, confidentiality and accountability – personal data must be processed in a manner that ensures adequate its adequate protection.
GDPR principles and data protection in RPA projects
The principle of lawfulness is very general in nature. In a word – our robots should process data in accordance with the law. It is very difficult to provide any particularly practical guidance in this regard. It is certainly worth to make sure that any agreements and contracts for the supply and maintenance of robots include provisions on data processing. It should be explicitly stated how the data will be used. We should indicate who will have the right to process data and on what terms. Often, such documents also specify the division of responsibility for the data between the parties involved.
Fairness and transparency
The principle of fairness and transparency imposed on the data controller is quite intuitive. We need to know where and for what purpose we collect and process data. Usually, such information should be part of the information system documentation or process descriptions. Each organisation has its own personnel responsible for individual processes, who are known as process owners, and who have detailed information about the particular tasks. In practice, however, it often happens that such documentation does not exist or is incomplete. This is where robots may come into play. Popular platforms offer tools that can generate a process flowchart right on the spot to ensure the optimal process documentation, which is efficient and up-to-date.
Purpose limitation and adequacy
The principles of purpose limitation and adequacy do not usually apply to robots. The purpose for which we collect data is independent of specific IT solutions. However, in some cases robots may create additional data sets that are necessary for the correct execution of the process. In such cases the principles of purpose limitation and adequacy apply and it has to be clear why such data sets are created and processed.
The principle of accuracy is particularly important in the context of robotic solutions. First of all, errors in data, in particular in personal data, often occur due to human error. The use of robots virtually eliminates this problem, increasing data quality. In addition, robots are ideal for carrying out such monotonous tasks as data monitoring and validation processes. For human teams, it is virtually impossible to verify the correctness and consistency of data on a large scale. In turn, robots can effortlessly review selected sections or even entire databases for discrepancies and even automatically verify them on an ongoing basis.
The storage principle does not directly apply to robots, as data is usually stored in application databases. However, it may happen that robots store personal data in their internal registers or system logs for the purpose of performing certain processes. In such a case, the data should be deleted as soon as it is no longer necessary for those processes. In general, such data storage, unless absolutely necessary, should be avoided altogether.
Integrity, confidentiality and accountability
While all the principles discussed so far have mainly concerned procedural issues, the principle of integrity, confidentiality and accountability has the greatest practical implications for robotic process automation. In the case of RPA projects, data protection is an issue that is relevant to the ongoing functioning of the systems. For this reason, we have to remember about it at all times and monitor in real time any failures, errors or attempted attacks. As with the principle of accuracy, also in this case robots can greatly contribute to increasing data security and quality. On the one hand, they eliminate human errors that could compromise data integrity. On the other hand, by limiting access to the data, they significantly increase its confidentiality. If routine tasks of updating and synchronising data are entrusted to robots, the risk of possible misuse of such data will be considerably minimised. In addition, in the case of robots, every single access to data can be traced back. At the robot design level, we can impose even the most restrictive data access reporting principles. In case of any doubt, we can precisely establish under what circumstances, when, for how long and for what purpose the robot used the data.
How do robots (RPA) protect our rights?
In addition to the principles described above, GDPR also sets out the rights that data subjects may use in relation to their data. It is worth to mention all of them, even though most of them do not apply to robots directly. The above-mentioned rights include:
- The right to be informed in detail about the processing of personal data
- The right to rectification and supplementation of personal data
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object to data processing
- The right to manage the consent to data processing
- The right to be informed of personal data breaches
- The right to contact the Data Protection Officer
From the perspective of RPA, the most important is the right to object to data processing. It includes the complete prohibition of automated decision-making with significant legal effects. In practice, this means that we must have the explicit consent of customers for the use of robots that will take over decision-making processes, excluding the possibility of human intervention. This is not a common case, but it is worth bearing it in mind. Usually, in such a situation, in order to avoid violating the customer’s rights, robots only perform certain initial processes, but ultimately all decisions are made by humans.
When it comes to ensuring the protection of the remaining rights of data subjects, robots can be of great help to us. For example, the processes of data rectification and supplementation are usually repetitive and have to be accurate. It is hard to imagine a better task for robots. Exercising data subjects’ right to erasure may require searching large data sets to replace or anonymise them. Likewise, exercising data subjects’ right to data portability may be quite painstaking for humans. Robots, in turn, can efficiently prepare a complete summary of all data on request.
Robots are very effective in protecting data from leakage or misuse. They allow to completely eliminate the risk of human error in terms of access to data or its disclosure to unauthorised persons. When using robots, there is no risk of entering data in the wrong places or retrieving it from unauthorised sources. There is always a possibility of errors in the robot’s code, but these are largely eliminated during the testing process. If the best engineering practices are observed, the risk of such errors is much smaller compared to human mistakes.
By implementing robotic solutions, we have a full insight into all activities related to data processing and, in most cases, we can also take advantage of full automatic data monitoring. This allows to significantly minimise operational risks, not only in the context of regulatory aspects, such as the GDPR, but, above all, enables effective data protection from unauthorised access and use.
Robots are important allies of every Data Protection Officer.