RPA Help

Linkedin
View Categories

2. RPA Software

1. Options #

There is a sea of RPA software to choose from, the two most commonly used are Power Automate and UIPath . I will not describe each one here, as I only have experience with Power Automate , and its predecessor from SoftomotiveProcessRobot . Depending on the choice of software, there are also some hardware requirements that must be met. These are not reviewed here, as they can vary greatly depending on the choice. It may be advantageous to use virtual machines for this purpose.

NameNoteLink
Power AutomateAdvantage if you already have O365, as you get lots of functionality with thishttps://www.microsoft.com/en-us/power-platform/products/power-automate https://powerautomate.microsoft.com/en-us/pricing/
https://powerautomate.microsoft.com/en-us/pricing/?#add-on-plans
UI Path https://www.uipath.com/
https://www.uipath.com/pricing
Blue Prism https://www.blueprism.com/
GartnerA more complete list of what RPA software existshttps://www.gartner.com/reviews/market/robotic-process-automation

2. GDPR considerations #

NameNoteLink
FISA 702US legislation on surveillance of non-US citizenshttps://www.intel.gov/foreign-intelligence-surveillance-act/1237-fisa-section-702
European Data Protection Boards (EDPB)EDPB recommendations on compliance with the EU level of personal data protection


Specifically regarding international transfers of data, see the specific Transfer impact assessment (TIA) section. Relevant in relation to data and sub-data processor agreements. 		https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

https://www.edps.europa.eu/data-protection/data-protection/reference-library/international-transfers_en
Microsoft Cloud Governance WhitepaperMicrosoft’s own reference to how they process data stored on their cloud servershttps://info.microsoft.com/WE-AzureINFRA-CNTNT-FY20-05May-07-CloudGovernance-SRGCM3458_01Registration-ForminBody.html
Power Automate Desktop (PAD)See section 1. GDPR CompliancePower Automate Desktop – Introduction – RPA Help

No matter what software you end up choosing, GDPR considerations should be included in the choice. To this end, you can make a risk and impact analysis (possibly a Transfer Impact Assessment, TIA, if data is to be transferred outside the borders of the EU. Please note that a TIA must be made for both the data processor and its possible sub-processors). The way the legislation is interpreted can vary greatly depending on the circumstances. However, you should have written down your considerations so that you can document it at a later date if necessary.

If you take Power Automate , for example, as a starting point, this is a cloud solution through Microsoft . This means that data is in the cloud, which requires consideration in relation to EU legislation, including the GDPR. Microsoft is also an American company, and is therefore subject to American legislation. Problematic legislation from here is FISA 702 , which can make it possible for the American intelligence service to obtain personal data if there is a court order.

In order to request a court order, all three of the following requirements must be met before you can continue the process of obtaining a court order:

  1. Email, name, address or CPR number is identified
    • So, data on all citizens in our municipality must not just be handed over. It will be virtually impossible to know which data belongs to which person, since the data is handled by a robot. So in order to identify which data belongs to a specific citizen, you must also have the functionality from the robot – part of the control mechanism in the robot may be in a database locally in our municipality or a spreadsheet that the American authorities will not be able to access.
  2. The person must not be a US citizen.
  3. It must be probable that the person has knowledge of terrorism or profiling of new weapons.

From here you will look at the EDPB’s recommendations, see link above. If the legislation is problematic but the practice is ok, you can transfer your data without additional security measures. In point 43.3 it is quoted:

…Alternatively, you may decide to proceed with the transfer without being required to implement supplementary measures, if you consider that you have no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer …

From Microsoft’s own Cloud Governance Whitepaper , you can read more about how they themselves view the risk. Among these, pages 13 and 67-70 are interesting, as they describe it in more detail:

Microsoft has a principled and rigorous approach to handling public access requests for customer data held by Microsoft. The key policies we adhere to across our services, are:

  • Microsoft does not give any government direct and unfettered access to our customers’ data, and we do not give any government our encryption keys or the ability to break our encryption.
  • If a government wants customer data, it must follow applicable legal process. It must serve us with a warrant or court order for content, or a subpoena for subscriber information or other non-content data.
  • All requests must be targeted to specific accounts and identities.
  • Microsoft’s legal team reviews all requests to ensure they are valid, rejects those that are not valid, and only provides the bare minimum of data when legally required.

Regarding requests from authorities, Microsoft states:

Part of Microsoft’s work with government requests includes publishing “Law Enforcement Request Reports” every six months to ensure transparency into the scope and nature of these incidents. The reports can be found here: https://aka.ms/MSLERR and can be used to help complete the statutory risk assessment.

For use in the required assessment of the risk of authorities seeking access to customer data in connection with the investigation of serious (and often global) crime, it may be relevant to consider the factual figures on the scope from the Microsoft Law Enforcement Request reports available from the link above.

The table below contains the figures from 2020 and a similar period in 2018 for reference and clear indication of the development:

Based on the figures, Microsoft states:
With the estimated number of enterprise accounts in Microsoft HSCC Online Services, it is clear from the figures above that …

  • the likelihood that a given Enterprise customer (private as well as public) is the target of such a request is minimal
  • the likelihood that such a request will NOT be rejected or redirected is even smaller, and
  • the probability of such a request for data stored outside the country of origin of the request and NOT being rejected or redirected is approximately 1 in relation to the total number of public and commercial customers using MS HSCC Online Services.

Based on these reports, an understanding of the principled process, and Microsoft’s history of protecting customers’ privacy rights, it should be possible to perform a risk assessment that shows the likelihood, and subsequently the overall risk, from 3rd country Law Enforcement Requests to be absolutely minimal to non-existent.

Based on the above, it is unlikely that Microsoft will access your data before a court order is issued. Furthermore, Microsoft itself states that the likelihood of personal data being disclosed is ” absolutely minimal to non-existent “. On this basis, one can conclude that there is no reason to believe that relevant and problematic legislation will in practice be applied to the municipality’s personal data. In other words, the practice is ok, and that no other measures need to be taken.

If the practice is not OK, however, you should investigate whether you can use additional security measures that make it possible to continue anyway. If we continue to look at Power Automate , then the debug log for Desktop Flow will not comply with GDPR, as there may be sensitive personal data among the variables / screenshots that are logged. You can turn off screenshots on each individual process, and additionally make variables that contain sensitive personal data sensitive so that they are not logged in the cloud. This could be argued to be extra measures so that the data will not be logged, and thus could be handed over by court order. This will make the process both GDPR-compliant and comply with the recommendations from the EDPB . You can read more about this in the link to the PAD review.

If it is concluded that no measures can be taken, then it is an automatic ban on data transfer.

Scroll to Top