Privacy Concerns in an RPA Implementation Program.
The biggest concern we (as RPA solution implementors) have faced when interacting with clients and customers were:
1. Regulatory and Compliance issues.
2. InfoSec and Security issues.
3. Audit Issues.
Regulatory and Compliance Issues: There is a huge penalty if the wrong data gets updated and emails are sent to customers by the regulatory authority (be it in banking or telecom or insurance).
InfoSec and Security Issues: Who is going to own these BOTs as these BOT Accounts are like AD userIDs or Service Accounts and if the BOTs are coded and not tested enough, the untested rogue code could just create an issue.
Audit Issues: Tracing the steps of BOT execution if one of the concerns is raised and rectifying the issues in the process execution.
Automation ROI: During the Business Case development and approvals, there is a clear ROI calculated in terms of Costs, Benefits, etc.
CAPEX: Number of BOTs used. Development Cost, Fixed Costs (Hardware, Software, Licensing), etc.
OPEX: Variable Cost in terms of recurring support costs, licensing support costs, development/support costs in operations, etc.
But during actual development, what came out was the number of BOTs increased and the Cost increased as well in terms of CAPEX and OPEX. The concern from business is the Business Case and Actual Costing defers.
We can list out the issues faced in terms of criticality where regulatory and InfoSec/Security being on the topmost and the Audit issue, next.
Second last, staying true to the Business Case and ROI is the next most important one.
Lastly, is the Critical Success Factor, metrics and measurement of the RPA project so that the Stakeholders and Business understand the success of the RPA Program.
Listing the Various Privacy, Regulatory Laws that any RPA Implementation to be aware of.
it would be good to list out the various regulatory compliance items.
For every industry/domain/vertical the below are the one's when dealing with data:
1. GDPR, CCPA - Data related to Employees, Customers, Vendors, suppliers, etc to be captured, stored and protected from unauthorized use other than what it is intended for.
2. Financial regulatory compliance - AML, Card Payment Protection (PCI DSS), Data privacy, Deposit Protection, Lending laws, Fraud Prevention, etc.
3. Insurance - Fair Trade Practices, Financial Solvency of Insurance providers, etc., along with data privacy, etc.
4. Telecom - various FCC laws related to the filing of various reports.
5. Health - HIPAA - Capturing, Storage of health-related data in a secure way.
6. SOX, -The law primarily focuses on regulating the accounting and transparency in processes of companies
7. NIST - a framework for keeping the data and systems secure
8. FedRAMP - laws designed to keep the cloud services and data that those agencies use securely.
9. Tax-fair accounting and tax practices.
It's certain that be it a BOT executing the processes or a human, all captured data, storage, processing, distribution, data retrieval and data removal, data backup needs to be done in a secure way and as per the regulatory laws.
All activities on the data captured in the lifecycle listed further (data capture -> data storage -> data retrieval -> data processing/cleansing/updating -> data backup -> data distribution -> data removal) need to be logged with each change on the data with details of which application, when, and what part of the data was worked to be reported when requested or audited.
Appropriate consent from the client, customer, supplier, vendor needs to be taken and stored for any future reference with respect to what kind of processing would be done on the data and what part of the data will be used, processed and distributed.
There are serious implications in terms of penalties levied if regulatory laws are not complied with based on the industry and regulatory body.
Thanks.