How to meet GDPR compliance obligations

Since the General Data Protection Regulation (GDPR) came into force on May 25, companies collecting data on citizens in European Union (EU) countries have been scrambling to put systems and processes in place to comply. The GDPR sets a new standard for consumer rights regarding their data and requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The sweeping new directive protects privacy data ranging from basic identity information such as name, address and ID numbers to health, genetic, biometric, racial and ethnic data. While GDPR is not explicitly a global law, for a number of data controllers or data processors who handle personal data of EU citizens, the regulation applies equally. Companies will need to comply with the strict new rules or face heavy fines for data breaches and non-compliance.

A key challenge for many companies is how to review their existing Data Processing Agreements or DPA with third parties and identify gaps relative to GDPR compliance obligations. This is necessary because almost every service that companies provide today involves the collection and analysis of personal data - from social media, to banks, retailers, and governments. A typical Fortune 1000 company maintains on average 20,000 to 40,000 active contracts.  As GDPR addresses many ways in which these companies currently collect, store, and transfer data, third party processor agreements need to be reviewed in the context of GDPR compliance obligations.

Companies can manage their GDPR compliance obligations by following well-established best practices in information governance while constantly reviewing their own data collection and storage practices. Yet, in this cognitive computing era, AI-based technologies that automate the tedious contract review process deserve equal consideration.

AI for contract analytics includes machine learning based document understanding building blocks that extract meaning from documents much the same way as humans do:

• Recognition technologies such as OCR, ICR intelligently extract, classify and serve critical data from incoming images, email and document streams and integrated into corporate information systems
• Entity Extraction that automatically identifies names, organizations, locations, dates, quantities and monetary value from contracts;
• Natural Language Processing (NLP) that helps organizations infer meaning from agreements in context by analyzing contract clauses and their relationships within and between documents.
• Clustering that categorizes documents based on their similarity and relationship.

Applying these building blocks organizations can accelerate the GDPR compliance process while at the same time increase the precision with which gaps between existing company privacy agreements and GDPR compliance requirements may be identified and remedied.

Such machine learning technologies are designed to identify and extract relevant provisions within agreements through a combination of pre-built clause libraries and learn-by-example techniques that continuously improve both recall and precision of agreements reviewed.   These technologies can lift specific clauses from agreements and match them against corresponding GDPR provision, perform clause comparisons and identify gaps.   They also assist in mitigating risks, particularly identification of appropriate cyber insurance protection and indemnification clauses in the event of a breach.  This is particularly important and potentially consequential requirement for organizations to undertake given GDPR’s expansive jurisdiction to impose onerous fines and its exercise of corrective powers.

This article is an abridged version of Andrew Pery's article on "GDPR Compliance Obligations: The relationship between Data Controllers and Third-Party Processors," published in AIIM.org. To read the full-length version, please visit: https://info.aiim.org/digital-landfill/gdpr-compliance-obligations-the-relationship-between-data-controllers-and-third-party-processors