EU's new General Data Protection Regulation & Policy Automation

What is GDPR?

The regulation

The European Commission has introduced the General Data Protection Regulation (GDPR) which will be implemented on 25th May, 2018.

The regulation has mainly been implemented in order to:

  • ​Force companies to be clearer on their data collection and usage of personal information
  • ​Improve data protection and prevent data infringement
  • ​Establish improved control and reactivity to prevent data leakage

GDPR not only affects companies which deal with sensitive data, such as the health and finance sectors, but all companies which deal with personal information, being the majority of companies today. Although GDPR is a European regulation applying to European companies, it will also apply to other countries that deal with and manage data of European citizens.

Main Principles

The GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date. If inaccurate, rectified without delay or erased
  5. kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the personal data are processed
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
  7. kept in compliance with the GDPR, which must be demonstrable by the company holding the data​


​Consent is a core element of the new data protection law. It is one among several available legal grounds to process personal data. Obtaining an individual's consent in order to process their personal information may seem an easy way to establish a legal basis for processing, however consent is not as straightforward a concept as it may at first appear, particularly when it is not clear what conditions must be met for that person's consent to be effective.

What are the consequences and risks?

  • ​Fines incurred: European companies will be subject to a fine which could be up to 4% of the company’s overall business, or up to 20 million euros.
  • ​Organisations which have been affected will be required to notify customers within 72 hours in the case of non-compliance.

Adhering to the new regulation is important for both the transparency of client data usage, which includes the implementation of a data loss protection (DLP) scheme, as well as the documentation of data processes.

How to ensure and demonstrate compliance

In order to comply with the GDPR, both internal processes and IT systems must be updated to follow the above main principles. Public institutions and larger enterprises will have to engage a Data Protection Officer (DPO) and they will need to demonstrate compliance in terms of a Data Privacy Impact Assessmentwhen introducing new policies and systems.

All in all, this cross-organizational effort, which has to report to the top management requires advanced tools to avoid overloading the organization.

Policy Automation Tool

Oracle Policy Automation (OPA) is an end-to-end industry-leading solution for capturing, managing, and deploying complex legislation and other document-based policies across channels and processes. OPA has the following key areas of capabilities:

  • ​Transform legislation and policy documents into executable and maintainable rules in any language
  • ​Deliver guided interview experiences using modeled natural language policies, for self-service and call center
  • ​Empower policy owners to quickly assess the impact of existing and proposed policy using real business rules and real business data
  • ​Achieve complete consistency across delivery channels using standard web services architecture and pre-packaged integration

This ensures businesses are able to:

  • ​Achieve consistency across multiple channels (web, mobile, contact center and face to face)
  • ​Provide detailed decision reporting to understand how decisions are reached
  • ​Assess impact of policy changes
  • ​Reduce cost through integration with major platforms both legacy and modern systems

Unlike coding, OPA uses ‘natural language modelling’, which means you can use normal natural local language to write rules in either Microsoft Word or Excel and compile it to generate the rulebase. By automating your policy you can ensure consistency, increase organizational agility and enable transparency. This tool not only do the decision making but also generate a decision report document in the end which explains how the system arrived in this particular decision from the entered data. This will help you backtrack your information and explain the reason for the decision.

Some areas where OPA could be used are:

  • Web Shops / Self Service Portals – Ensure proper collection of the user’s consent, retraction of the concent and handling of requests to be forgotten
  • Social Services – Eligibility Determination, Benefit Calculations, Risk Assessment
  • Tax – Eligibility for Tax Credit, interactive tax guidance and Assessment
  • Registration, Licensing Permits & Inspections – Citizen self service advice to determine what licenses to apply for and complex eligibility rules
  • Human Resources – Eligibility calculations for compensation, pension, leave and allowances
  • Grants – Guidance on which grants may be applicable to the applicant’s circumstances and calculating grant amounts.​​

Måløv Byvej 229     |     2760 Måløv    |      Denmark      |      © SolutionSpace 2015​