The deadline for compliance with the European Union General Data Protection Regulation (GDPR) is May 2018. In some cases, businesses face an almost impossible task when it comes to preparing to comply.GDPR tightens up regulations that have been in place since the 1995 EU Data Protection directive. The requirements have now become more onerous and there are clearer and harsher penalties for non-compliance. Fines for non-compliance are up to 20 million Euros or four per cent of the company’s global revenue. Personal data is ubiquitous. It is held in every corporate system, from payroll to email, accounts to social media. It is held in multiple contracts. Businesses seeking to comply 100 per cent with every aspect of data protection principles would likely bankrupt themselves in the process.
If someone sends an email from a company system and copies in someone else, they may well be committing an offence under GDPR. There is the additional challenge of preventing employees from using their personal email addresses for work purposes. Even small businesses tend to store thousands of spreadsheets, many containing personal data. And most organisations share personal data with suppliers and contractors. The task of identifying, categorising all the personal data and attempting to protect it contractually is daunting.
Many businesses have spent the past year or more attempting to tackle the issues ahead of the introduction of GDPR. Some have brought in outside contractors to do a complete compliance assessment. IT security has also come under scrutiny. Corporates have strengthened their firewalls and their encryption – and in some cases, security reviews have uncovered some real howlers and unsafe practices.
Proactive measures to reduce risk
This activity does mitigate the risk of non-compliance, but it may only be scratching the surface. Even corporates such as whose core business is data-driven marketing, whose USP rests on effective use of data, are proving to be surprisingly unsophisticated in addressing the risk of failure to comply with GDPR. However, there are a number of actions that corporates, in tandem with their legal counsel, can put in place to address the requirements of GDPR:
• Use AI to create a red flag system. Effective use of AI prioritises valuable legal staff time. AI can look at tens of thousands of contracts in one afternoon, a task that would take lawyers weeks. Artificial intelligence cannot do everything a human can, but it can automate some critical aspects of the data protection undertaking. It can apply intelligence to identify where personal data is held ¬– often in places that lawyers would never have found.
• Predict your data controller and data processor scenarios. GDPR is very clear that the responsibilities and liabilities for data controllers and data processors are very different. However, determining whether you are a data controller or data processor in a given situation is quite abstract, requires sophisticated tests to determine and is often up for debate. Not many businesses will have the in-house expertise that will enable them to be confident that they are getting this definition right in every case. With the right data, AI can help you automatically categorise those relationships and scenarios where you are most likely to be one or other, thus semi-automating a notoriously difficult task.
• Keep it simple. The complexity of many business operations means that there is a real risk of failure to comply with GDPR. One approach is to tackle complexity by simplifying things. This involves making sure that most key employees have a very clear understanding of the major data protection tenets, accepting the smaller risk that they will fail to comply with some of the finer points of the regulations. AI can potentially help here too by assisting the identification of systems or activities where more problematic data protection problems are likely to occur thus enabling you to take more rigorous compliance steps in some areas whilst keeping others simplified.
• Minimise and anonymise. The simplest way to ensure 100 per cent compliance with GDPR is not to process any personal data. That’s impractical for most businesses, but it is also true that the less personally identifiable data the organisation holds, the lower the risk. Until recently, anonymisation technology was regarded as quite niche. Now that GDPR carries specific requirements for anonymisation, the technology is no longer a nice to have – businesses should be considering it as a matter of priority. Artificial intelligence technology can help automate redaction, in order to comply with GDPR requirements. A tight grip on the data life-cycle process will also help businesses minimise the amount of personal data they hold. Again, AI technology can help identify and delete personal data that it is not necessary for the business to store. Generally, companies hold more personal data than they need. Often it is more important to understand the attributes of a person, rather than their individual identity – what you are, not who you are.
Legal advisors – internal and external – have a key role in suggesting practical measures to address GDPR risks. Time spent automating legal assessment of data protection liabilities will pay dividends given the now-increased risk-cost of GDPR. For some businesses, this will generate competitive advantage because the organisation will be more able to leverage the power of data without introducing the heavy restrictions that would be required without access to automation tools.
AI helps compliance
GDPR is set to impose harsh penalties for non-compliance, yet achieving the correct application of some of its principles will be subjective. AI can help manage the additional investment in data protection resources required to address GDPR and help experts tasked with data protection compliance keep on top of the thousands and even millions of decisions that need to be made about personally identifiable data every day. For some businesses AI-driven automation will be critical to achieving any level of real world compliance.
Tim Pullan is CEO and founder of ThoughtRiver, a company which has researched and pioneered AI technology highlighting which contracts to look at and what sections to focus on. It can also generate risk assessment reports on contracts in seconds. For further information visit www.thoughtriver.com