Designing automated processes for handling sensitive data: Action design research in a multinational corporation context

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
School of Business | Master's thesis
Degree programme
Management and International Business (MIB)
Automation is a growing trend in multinational corporations (MNCs) because of the need to cut costs and increase efficiency to keep up with the intensifying global competition. Companies increasingly automate processes through lightweight and heavyweight IT solutions out of which lightweight IT ones are more agile and quicker to deploy even by the business users themselves making them an attractive choice for MNCs. For example, new solutions make the HR function better equipped to deal with their global workers across the MNC. However, when handling sensitive data within these lightweight IT solutions, it is important to carefully design the process in order to maintain informational privacy. Thus, the process design has important implications for decision-making over control. More specifically, whether companies decide to opt for more formal or informal methods-based portfolios emerge as an important topic. However, choices over control for lightweight IT solutions remain largely unexplored in the current research for both information systems (IS) and MNC research. This thesis addresses this gap by asking the research question of how to design automated processes that handle sensitive data. To answer the research question, in this thesis, I conduct an action design research (ADR) based study in a Finnish MNC, where sensitive data is handled in an automated process. The practical challenge for the MNC stems from a recent EU posted workers directive that requires companies make notifications to the host countries when sending workers to perform services abroad. The automated process gathers data from different source systems needed for making the notifications, and then sends this data to the person making the notifications. I conduct four build-intervention-evaluation (BIE) cycles during the ADR study, which shape the final design of the artifact, and the main findings of this study consists of four design principles derived from the cycles. The four design principles are: 1) Access control, 2) Set limitation for the software robot in the process, 3) Limit storage of duplicate data and 4) Record utilization. The artifact brings practical utility to the end users in the form of reduced workload in gathering the information for posted worker notifications and builds a framework for the case company to build future automation projects handling sensitive data. The thesis provides theoretical contributions in the form of viewing what types of control methods could be implemented with a lightweight IT solution that handles sensitive data. It finds that more formal control methods should be used as there is minimal supervision during the use of the automated process. This also allows for more scalability as there is less need for building trust with the users of the automated process. Furthermore, the design principles provide practice utility to the case company as they build best practices or a framework on which future automated processes can be developed on.
Thesis advisor
Hakkarainen, Tuuli
Penttinen, Esko
organizational control, lightweight IT, RPA, automation, privacy, sensitive data
Other note