Privacy decisions to consider with process mining
To make sure that any new process does not conflict with personal data policies and does comply with requirements, there are a few points to consider:
- Access to raw data: as the first step, carefully consider the overall data extraction process, whether it is from the company’s IT system or data warehouse. The process mining implementation team needs to have access to this corporate data, so they can focus on extracting what’s most important for analysis. As a result, it’s important for the company to choose the data it will grant access to for further analysis, a step that also helps accelerate and simplify the overall implementation.
- Choose the right strategy: filter, pseudonymize, or anonymize data. After that, the process mining team needs to work on the translation of the raw data. They can convert this information into comprehensive terms and develop a format suitable for process mining. Ultimately, the data then gets transformed into dashboards that the team will use to decide what features to focus on.
At this point, there are three choices to managing personal information: filter, anonymize, or pseudonymize.
- Filter: sometimes the company needs to track information that is not needed for specific process analysis. In this case, the team would simply recommend removing it. If the data is sensitive and does not influence the business analysis outcome, users can delete it, especially since the focus should be on valid and relevant data.
- Pseudonymization: this is the most common way of handling sensitive data. Simply put, it’s a way of encrypting the information so that users can’t correlate it to real data–specific names, addresses, or other PII data.
In this case, the team can choose to replace any PII data with pseudonym information wherever possible. For example, if the company doesn’t want analysts to see the names of employees that perform process-related tasks. In this case, the team can replace these names with numbers. Only select users would be able to access the table of “translations” to identify the actual names.
- Anonymization: this is nearly identical to the pseudonymization procedure where the team chose to replace PII data with unique pseudonym. But this time, there is not translation table. Thus, the original data is secure since re-anonymization impossible. But this time, there is no translation table. In this way, unauthorized users can’t identify individuals’ confidential information using the available data.
One consideration: anonymized data can complicate process analysis, especially if the company over-secures the data to the point that the end insights are not useful anymore.
Access to finalized data
When the data is ready and considered “final,” it is important to consider how the data will be accessed in the new context. The process mining team should define business users who will have access to dashboards, process graphs, reports, and other information.
The right process mining tools, such as UiPath Process Mining, deliver valuable self-service tools that give access to IT teams while still giving the ownership and control to business users. Both groups can work independently to a common goal: gaining new insights into existing processes.
Interested in learning more about process mining? Watch our video on UiPath Process Mining or download our white paper, Accelerating RPA with End-to-End Process Understanding and Monitoring today.