Everything your need to know about GDPR

This post was first published on my corporate blog

With the help of advanced business analytics and AI, companies are using the power of data to its best use. But what is this data? It comprises of personal details of citizens of the European Union (EU). Therefore, it is imperative to act according to a set standard of consumer rights in order to protect the data from being misused.

The standard by which the EU is currently working with the Data Protection Act was formed in the year 1998. The world of business intelligence has advanced beyond expectations since then. In the modern world, consumer data can be exploited in unimaginable ways. The need for a more comprehensive regulation that protects the consumer data from being exploited in the current world scenario is a must. Thus, the formulation of all new General Data Protection Regulation (GDPR).

What is GDPR?

In simple words, GDPR that is slated to come into effect as on 25th May 2018, is a regulation designed to protect the personal data of citizens of the European Union from possible misuse by the corporates. Non-compliance with the strict regulations of GDPR may result in hefty fines for the businesses.

GDPR will supersede the previous Data Protection Act and with refined and stricter regulations, EU hopes to safeguard customer privacy in the upcoming Digital Economy.

The provisions of GDPR is consistent across the 28 European Union member states that make it only one standard required to be met by the businesses. Although, the guidelines are strict and the standard expected by companies operating under EU is severely high; adhering to the GDPR will ensure a smooth running of a business for the enterprises.

Not only will GDPR act as a stringent master in controlling the customer privacy and data, it will also make the business atmosphere simpler for EU companies. GDPR is expected to offer a simpler legal environment for businesses to operate by making the law for data security identical all through the single market.

Who and How does GDPR effect the companies?

GDPR is aimed at making businesses more accountable for protecting and monitoring data of the customers. These data include-

  • Customer identity including IP address, location, RFID tags, and cookies.
  • Genetic and general health data
  • Biometric Data
  • Ethnic/ Racial data
  • Political belief
  • Sexual Preferences

GDPR essentially is applicable to every company that accesses, stores, processes, any kind of personal data of any of the EU citizen. It does not matter whether the presence of the business is within EU states or not, the company still has to comply with GDPR if it uses EU citizen’s data in any way. For any company with more than 250 employees GDPR is mandatory, but even if the company operates with less than 250 employees and uses the data of the EU citizens, it must comply with the GDPR.

The Six principles of GDPR You Must Know About

Emphasizing the aim to drive the GDPR compliance, the six principles summarize the main responsibilities of the organizations towards managing the personal data of the consumers. These six principles are:

1. Fair practice, Lawfulness, and Transparency

The first law of GDPR says that personal data of any kind must be processed impartially, lawfully and with transparency. In order to follow GDPR lawfully, the companies must meet the data acquisition and processing criteria laid out in the guidelines.

2. Legitimate Purpose Limitation

The principle clearly states that the personal data can be collected for explicit, legitimate, and specified purposes only. Although the scope in GDPR is widened for certain categories, the principle essentially means “do what you say and say what you mean”.

3. Data Minimization

According to article 5, clause 1© of the law, the personal data collected must be relevant, adequate, and limited to only the necessary info with reference to the purposes for which they are to be processed. The principle explicitly means that nothing more than the bare minimum required data should be retained for processing.

4. Accuracy of Personal Data

The principle states that the accuracy of data must be maintained. Care and protection must be taken to safeguard personal data from theft and leaks. Also, rectification of the inaccurate personal data must be done without any delay.

5. Limitation on Storage of Data

The principle applies to limit the storage of unwanted data. Data that is no longer required must be securely removed. There are a few exceptions added to this principle such as the data collected for scientific purposes and for the public interest.

6. Confidentiality and Integrity

The principle comes as a result of protecting the fundamental right of data security. The integrity and confidentiality of data must always be maintained. Controlling the number of people accessing the data is a great way of achieving it.

Rights of Data Subjects under GDPR

Data subjects are essentially the ones whose data is being captured. In cases where the data subjects want to exercise their rights, the processors have to be answerable to them under the scope of their rights. There are 8 fundamental rights for data subjects, listed as under:

1. The right to be informed

The GDPR asks the processors or data collectors to dutifully and clearly inform the subjects regarding the data storage and their rights towards the data procured.

2.The right of access

The data subjects have the right to know how the data concerning them are being processed.

3. The right to rectification

In case of a scenario where the personal data is incorrect or false, it is the responsibility of the data collectors to correct it with immediate effect.

4. The right to erasure

The data subjects have the right to ask to be forgotten i.e. to get their personal data erased.

5. The right to restrict the processing

There may be certain circumstances where the data subject may not be able to get the data erased or forgotten but can restrict the processing to a certain extent. For example, in defense or legal claims cases, this right can be exercised.

6. The right to data portability

Data subjects enjoy the right to transfer their data from one online platform to another.

7. The right to object to processing

As stated in the clauses of GDPR, the controllers (data collectors) must process the data lawfully and with full transparency. However, in cases where the lawful bases are not absolute, the data subjects have the right to object.

8. Rights in relation to automated decision making and profiling.

Data subjects can use their rights in certain cases with respect to profiling of their information.

The Obligation of Data Controllers

Under GDPR, as soon as an enterprise gain access to the personal data of the consumers, it becomes obligated to use it responsibly and follow all the principles and guidelines stated in the regulation. As a data processor/ controller, the following obligations holds great significance

  1. Proper implementation of appropriate technical and organizational measures to ensure and demonstrate that the data controllers comply with the principles of GDPR. Internal data policies such as processing activities audits, HR policies review, and staff training may be included in it.
  2. To maintain relevant documentation regarding processing activities.
  3. Wherever required, the appointment of a qualified officer to monitor data protection should be done.
  4. Implementation of adequate measures that suffice the principles of data protection at the time of designing the process itself.
  5. The inclusion of data protection impact assessments wherever required.

RPA PoCs – Are you doing it wrong?

Proof of what exactly?

For any technology adoption, a proof of concept is the usual approach to evaluate the usefulness and effectiveness of the technology. Howeve,  RPA is a different animal altogether. The usual proof of concept does not work because it’s not even clear what is being proven.

The unknowns in any RPA roll-out

  • Ease of use of the RPA tool?
  • Does it work with the applications that need to be automated? RPA tools are very finicky and sometimes even the simplest looking automation needs are hard to accomplish.
  • What’s the performance and accuracy?
  • Is it enterprise grade? What’s the approach to technology best practices around documentation, version control, peer reviews, testing, release and configuration management, security, auditing etc.
  • Will it work in the environment it needs to be deployed?
  • Will it scale?
  • Will it seamlessly fit in the companies processes – release, change management, deployment, support. What changes are needed to the processes?
  • Are the company’s processes standardized enough to start RPA journey?
  • How will the employees feel about automation of their tasks?

Of all these questions a typical RPA PoC only answers the first question. An irrelevant question that usually gets an incorrect answer as well. At the end of these PoCs the bot created is nothing more than a demoware, which quickly gets forgotten.

A better RPA test

A good test for RPA is to pick a real process which has just enough technology and organizational complexity that provides a good test bed but not so much to kill the project even before it gets started.

  • Process involving a complex mix of technology. Don’t go easy here. If the process is a candidate for RPA, then RPA should be able to work with all of the technical stack. It’s better to get a realistic picture of what are the limitations of the RPA tool now.
  • Process should involve multiple business units to check the organizational dynamics
  • Process should have some number of business rules and data quality issue
  • Take a process that’s performance sensitive – either high volumes or large effort but which is not critical. You should be able to take the bot live without much risk.

During the enter development, deployment and production phase make copious notes of what went right and what did not meet expectations. After at least a month of going live, hold a retrospective on the same and try to answer the questions laid out in the first part of this article.

When you have all the answers you can decide the outcome of the POC and the next steps.


Delivering the RPA Hype

Look at any sales or marketing pitch around Robotic Process Automation and you’ll see these statements repeated in some form or other.

  • 50-80% reduction in cost.
  • It’s easy to get started. No special skills needed. Even the process executive can ‘train’ the bot
  • By extension, this is not coding and doesn’t need formal processes/change management
  • RPA can automate (almost) any manual process


TCS’s Santhanam brushes aside the fears of robots taking over jobs, dubbing them an “exaggeration.” It is merely the next level after the past few decades of digitisation.

I agree with him.


RPA – The golden duct tape

At my last company, while optimizing the business processes, I had a ringside view of robotic process automation (RPA) in action. We used to work closely with the RPA team and identify process steps that are good RPA candidates and help build a business case for the automation.

In my current role, I’ve jumped into the ring and now delivering RPA solutions to our customers. I’ve started this blog to document and share my experiences around robotic process automation.

I’m both excited by the promise of what RPA can do, as well as feel let down by the infancy and immaturity of both the vendors and the practitioners. In the upcoming posts, I’ll highlight the key issues and suggest possible solutions to derive the benefits RPA has to offer.

Before I get to the dark underbelly of RPA, let me first present the rosy front.

Robotic Process Automation – The IT duct tape

RPA is like a versatile duct tape that can stick together applications that need to exchange data, but needed a human to do it. Just like a duct tape is a temporary fix that can last a long time with proper maintenance, similarly RPA solutions can be tactical solutions that are quick and cheap to implement, while the strategic IT initiative might take time or might never get prioritized.

RPA tools aid in extraction, manipulation, validation and exchange of data. They work with the current IT landscape without needing to change the underlying systems. At the simplest, they can mimic a user by controlling the keyboard and mouse. However most RPA vendors come with a lot of advanced ways for automating application interaction.

The promise of Robotic Process Automation

RPA tools can deliver great value by automating the long tail of automation needs. This results in the following benefits.

Entrepreneurship Technology

INSORCE Development Platform

INSORCE is built on a combination of technologies that are considered safe by bank’s for their data center, yet cutting edge to deliver performance that is superior to a desktop application.

We are building on Microsoft stack for 2 reasons

  1. Banks find it easy to deploy and manage
  2. Availability of competent professionals

The key parts of INSORCE are:

  • ASP.Net MVC, where the views are mostly returning JSON results.
  • SQL Server, old war horse, banks can easily manage.
  • Knockout, the browser side MVVM framework. This is what makes the app’s performance stand out.
  • Lucene.Net for search
  • SignalR for push notifications

Apart from this, it is a mix of: