By Mark Holenstein,
Signavio
The General Data Protection Regulation (“GDPR”) is a popular
topic among businesses around the globe. The law was originally introduced and
adopted into place on April 27, 2016, and allotted a two-year post-adoption
grace period for businesses to meet compliance regulations. The formal
enforcement date for fining non-compliant organizations took effect on May 25,
2018. Through a survey completed by BPTrends,
a firm that tracks process modeling trends, information was gathered that in
some cases, European businesses surpassed U.S. businesses on GDPR compliance by
up to 500%. The conclusion was drawn that European businesses were more
prepared due to their sophisticated business processes. However, it should be
noted that many European and U.S. based businesses are adopting GDPR standards
as good practice.
Business Process Management (BPM) entails how businesses
study, identify, change and monitor business processes and modeling to ensure
that they run smoothly while improving those processes over time. The data from
the BPTrends’ report shows that no North American organization in 2017 had
spent more than $10 million on business process work or improvements. In
contrast, five European companies had spent from $10 to $50 million, with one
organization investing over $50 million. Process management can assist both
European and North American companies in their processes when they become GDPR
compliant, however the emphasis on processes in Europe explains why those
businesses are much more prepared.
Advertisement
With any organization looking to become GDPR compliant,
processes must change to better protect the organization and implement new
workflows. New plans must be drawn up for each organization, as well as
documented and communicated to internal stakeholders, thus creating new
processes.
Much of the focus around the GDPR has been on data and data
protection rather than on processes that take place, which are equally as
important for companies that are affected by the regulation. Keeping up with
the tracking and reporting required to achieve regulatory compliance can cost
organizations considerable time and resources. Without an efficient system,
it’s no doubt that an organization could easily fail to maintain compliance or
efficiently keep up with internal deadlines that may require consent under the
GDPR.
For example, some of these processes might include ways in
which an organization deals with a data breach, documents that breach, and securing
their systems to prevent future problematic implications. The way a business
handles consent and data management in compliance with GDPR is all through
their internal processes.
Well-functioning process management is essential when it
comes to avoiding monetary penalties, yet many organizations do not see this as
self-evident. A BPM System gives businesses the tools they need for rapid
reaction to regulatory change. Compliance management is thus made easier, and
complex rule sets are replaced by compliant and functioning processes. A
Business Process Management System is able to identify regulatory violations
and risks in daily processes, ensure employees are correctly carrying out
critical decisions, incorporate compliance changes into processes and ensure
seamless traceability of new processes.
For example, any company that conducts business in the EU or
with EU citizens, otherwise known as “data subjects,” must be within
compliance. For a company like Cola-Cola that does business internationally,
the processes of compiling and storing their company data must be addressed.
The GDPR states that any company posing a risk to EU data subjects can be fined
up to 4% of their global revenue or $20 million, whichever is greater. If
Coca-Cola was to experience a data breach of this information, they could
potentially be fined up to $1.1 billion, based on their 2017
revenue of $35.41 billion.
Process optimization not only prepares these companies for
GDPR but provides workflow acceleration and process intelligence. All are
critical with successfully implementing new GPDR regulations within an
organization. Some basic operations of a BPM system include defining a framework
based on legal and standardized requirements; identification, documentation and
prioritization of risks; assessing controls with supporting processes and
procedures as well as test activities. Implementing these workflow processes to
manage risk and controls is of the utmost importance, as it allows for a
business to monitor and report while continuously improving.
Effectively translating strategy into action is the
cornerstone of business transformation, and using a BPM system assists in
creating positive behaviors and mitigating threats businesses will encounter as
the organization embarks on their journey to GDPR compliance through process
management.
In his role as COO,
Mark Holenstein is responsible for the Sales, Customer Service and Marketing
departments at Signavio,
a leading provider of Business Process Management solutions.