Faced with concerns of clogging administrative capacity with data protection requests made under the GDPR, Danish bank Nordea turned to Robotics Process Automation (RPA) technology that allows the configuration of computer software or a “robot” to process requests. Nordea claims the use of RPA has slashed the time required to process customer data subject requests such as access requests made pursuant to Article 15 of the GDPR down from three hours to a matter of minutes.
GDPR has seen customers exercising their new rights to access personal data, leaving banks with a significant burden. Robotic’s Centre of Excellence’s senior execution lead, Hampus Gerlach, says because GDPR is based on a clear set of rules and steps it is ideal for RPA, an emerging technology that enables so-called intelligent automation. In a matter of weeks, process descriptions were created and relevant IT applications were mapped before robots were configured to handle GDPR processes.
Such a decrease in processing time will be very tempting for organisations, particularly given the strict time periods in place to comply with data protection requests under the GDPR. For organisations considering adopting such software it may be beneficial to undertake a Data Protection Impact Assessment to decipher possible risks and identify what mitigants are in place to avoid these. It will also be important for regulatory bodies to bear in mind any relevant restrictions they may face in relation to outsourcing requirements.
Organisations introducing such technology should be cognisant of Article 22 of the GDPR where there is a general prohibition on automated processing which produces legal or otherwise significant effects on the data subject. Ensuring that decisions are reviewed by a member of staff prior to a final determination being made will assist in ensuring no contravention of Article 22 occurs.