
Photo: Andrey Popov – shutterstock.com
“Digitization turbo” – this is how robotic process automation (RPA) is called by medium-sized and large companies. This was the result of the “Robotic Process Automation 2020” study by IDG. This means that RPA has the potential to make everyday work in many companies more efficient and to change it sustainably. But with the promise of efficiency, the potential for conflict also increases: employee rights, data protection and copyrights can be affected if a company wants to introduce RPA.
With the help of RPA, company processes can be designed and implemented more efficiently. Before a company uses RPA, the existing processes must first be recorded and analyzed. Digital images (so-called digital twins) of the processes are generated on a regular basis. One speaks of “process mining”. The analysis of these processes provides information about which process steps can be automated and thus implemented more efficiently. The incomplete or missing documentation of their own processes is assessed by the companies surveyed in the IDG study as one of the greatest challenges when introducing RPA and process mining. Without one, RPA cannot be implemented meaningfully.

Photo: Photo: Daniela Petrini / IDG Research Services
Repeatable, uniform tasks, in particular, can be performed by software robots (so-called bots). The bot executes a previously defined process workflow. This means that a sequence of process steps can be carried out automatically without a person having to be involved. Examples include that invoices are automatically recorded and filed, customer inquiries are answered using chatbots, orders are processed automatically, or data is transferred from one system to another without an interface. RPA can also be used to support a company in complying with laws and guidelines and ensuring compliance. One example is know-your-customer processes in the context of money laundering prevention.
Reading tip: Artificial Intelligence – Detect Money Laundering with Machine Learning
If a company wants to introduce RPA, in addition to the many advantages, legal requirements and risks must also be assessed. The following points in particular should be taken into account.
In addition to RPA, process mining improves and optimizes corporate processes. This is confirmed by the IDG study. 84 percent of the companies already use process mining. With the help of process mining, business processes are systematically recorded, analyzed and evaluated. On this basis, the company can evaluate, correct, optimize or create its processes. According to the study, this affects not only the processes in the IT department, but also those of management, the finance department and production.
Labor law problems arise if it can be demonstrated by process mining that individual employees do not comply with the defined process flows or – compared to the rest of the employees – decrease in their work performance. If a tool is introduced that enables such behavioral control, the works council has a right of co-determination. This right of co-determination already exists if the technical facility to be introduced offers the possibility to monitor the behavior of the employees. It is irrelevant whether the company wants to use the technical equipment for this purpose – the only thing that matters is that it is possible to control the employees.
- Roman Schäfer, Blue Reply
The word “transition technology” sounds bad. Somehow everything is a transition technology. After SAP R3 comes S4 HANA, after Windows 7 comes Windows 10, because nobody speaks of transition technologies. I therefore prefer to speak of release cycles. - Andreas Zehent, Deloitte
Comprehensive technology competence is still lacking in most companies, because too little emphasis is placed on it when hiring in specialist departments. In many departments of many companies, outside of IT, you can count the people who have at least the necessary basic knowledge on the fingers of one hand. - Dr. Rami-Habib Eid-Sabbagh, Lana Labs
The nice thing about RPA is that the technologies are easy to use today. This advantage lowers the inhibition threshold for modernization, and opens new doors – with machine learning and process mining, smart bots can be built automatically in the future. - Jan Wunschick, Lufthansa Industry Solutions
Many companies make the same mistake again and again to implement a lot of rigid processes, especially in the area of IT security. The effort to rebuild the legacy architecture increases exponentially in this way. Platform approaches are particularly exciting here because they significantly reduce the effort and offer many savings options. - Alexander Steiner, meta: proc
An RPA promises quick added value, especially when looking for cheap and quickly implemented solutions. But actually it is only a transition technology, to the point where an interface technology fits better. - Timo Nolle, PAFnow
AI and machine learning can significantly advance process mining. For example, the automatic detection of anomalies in business processes is an interesting scenario. This approach goes beyond the current possibilities of RPA, since it no longer only creates process pictures, but learnings can be drawn automatically. - Jörg Richter, Pegasystems
Customers often come with big ambitions. But after implementing a technology, it often happens that operations stop and the solution becomes unproductive. Ultimately, RPA is a solution that is used to manage legacy. You should definitely avoid the overgrowth of bots: We therefore advise our customers to answer the question for themselves how the ideal solution should look for them in the end and then act accordingly. - Julian Beckers, Weissenberg Business Consulting
For me, a successful RPA is when we can present a functioning, understandable and portionable solution that works for itself. At the CIO level, everything must always be integrated into large overall solutions and flow into them smoothly. However, the reality is often different. Of course, we are subject to many technological restrictions in everyday life and have to work with what we have.
The IDG study also shows that the works council occasionally resists when a company introduces RPA. Of course, this goes hand in hand with the fear of the works council that employees will be cut if company processes are optimized and automated.
In additio
n to the co-determination rights of the works council, data protection regulations must also be observed if information is collected with the aid of process mining. The data protection requirements can be avoided if the information is collected anonymously and – even retrospectively – the information can no longer be assigned to a specific employee, e.g. in which the information always relates to groups of employees. Of course, whether and to what extent this is possible depends on the business processes that are being analyzed and the goals that are being pursued.
Reading tip: Employers must adhere to strict information regulations
If there is damage caused by RPA, for example because data has been assigned incorrectly or customer questions have been answered incorrectly, the question arises as to who has to compensate for this damage. As a rule, the acting company will first have to pay the damage, since it has a direct legal relationship with the injured party. The company can, however, take recourse if the damage was not caused by its own fault. Whether and to what extent a recourse is possible depends on how the underlying contract for the RPA software is structured. In this respect, there are three contractual constellations in particular:
-
Standalone purchase of RPA software: The company acquires the software, implements and configures it itself.
-
Purchase of the RPA software and implementation by a service provider: Here the company defines the requirements and the service provider implements them.
-
RPA outsourcing: The entire RPA process is outsourced to an external IT service provider who operates the RPA software itself and integrates it into the company’s processes.
If damage is now caused by using the RPA software, it must first be clarified who caused the damage. This depends on the contract constellation. In practice, however, it is crucial that the victim not only claims the cause of the damage, but can also prove it. In principle, the claimant must prove that the damage was caused by a breach of duty by the defendant. To make this possible, the RPA must ensure that the individual, automated process steps, tasks and actions are documented in detail and can therefore be checked. The log files should provide information on whether errors have occurred or attempts have been made to manipulate the automated process from outside. The automated processes must also be secured by a role and authorization concept so that only people who are authorized to do so can make changes. At the same time, it should be logged when which person made which changes.
Reading tip: RPA governance – success factor “RPA unit”
Regardless of reasonable security precautions, the processes automated by RPA should be monitored and controlled by trained personnel. Even if IDG’s internal employees tend to reject RPA, qualified employees are needed to be able to use this technology in the company.
With RPA, interfaces can be replaced and data can be exchanged automatically between two systems. It is also possible to automatically trigger certain actions in software. Because the RPA tool and the software are two different computer programs, the question arises whether a license is required for these automated processes. In this constellation, the use of RPA shows parallels to the so-called “indirect software use”. If the task that is replaced by the RPA Tool was previously carried out by a person, this person usually needed a license to be able to use the software. If humans are replaced by a bot, the question arises whether the bot also needs a license. At least the software provider will affirm this. Otherwise, his business model will be seriously questioned. This becomes clear when you imagine that the bot replaces not just one person – and therefore a license – but a large number of people – and thus a large number of licenses. Many software providers therefore prohibit this so-called pooling or multiplexing in their license terms. On the other hand, the company that uses RPA wants to save costs. Additional licensing costs or even a legal dispute with the software provider pose a risk to the company and the success of the RPA strategy.
It is currently not clear whether and under what conditions an indirect use of software requires an additional right of use. The legal discussion is complex. The legal assessment depends, among other things, on how the computer programs used interact with each other in technical terms. There are no court rulings in Germany that indicate a tendency. Against this background, the company concerned should investigate whether there is any risk with regard to the software used and the underlying license model that a discussion about indirect use must be held. Has the licenser e.g. expressly stipulated whether and how indirect use is possible, RPA can be introduced if these requirements are met and implemented. If in doubt, a legal check should be carried out to determine whether there may be a problem here.
Reading tip: It depends on the license model: Indirect use of SAP systems – you should know that
Data protection law must be observed if personal data is processed by process mining and RPA. The rule here is that the data protection requirements can generally be implemented and RPA is not in the way. Problems can arise if, as described above, employee behavior is monitored or particularly sensitive personal data, e.g. Health data are processed. If service providers are involved in the process, an order processing contract must usually be concluded here.
However, data protection law problems can arise if process automation makes decisions that have a direct impact on a person, e.g. through a chatbot. According to Art. 22 GDPR, a data subject has the right not to be subjected to a decision based solely on automated processing, which has a legal effect on him or similarly significantly affects him. This prohibition of automated decision-making can oppose the automation of a process. According to this, systems that automatically reject contracts if certain parameters are not met are prohibited. However, this ban is not as strict as it appears at first glance. The law permits various possibilities here, how such a process could nevertheless be designed.
By using RPA – also in connection with process mining – there is great process optimization potential for companies. According to the IDG study, this potential has also been recognized by most companies. Large and medium-sized as well as small companies expect RPA to become an important technology by 2025. The advantages listed can not only lead to redundant tasks being carried out reliably and quickly to relieve employees, but also to ensure that legal requirements are reliably met. To ensure this, the relevant legal requirements must be recognized in advance and integrated into the process workflow. With a view to the future, it remains to be seen how RPA develops under a possible AI implementation and the associated legal requirements. (bw)
To the study “Robotic Process Automation 2020”