Contracts are a hidden risk in GDPR compliance

May 25th – the date GDPR enforcement begins is almost here, and most companies are still working towards compliance. Cheryl O’Neill, Director of Product Management at Seal Software, looks at the hidden risk contracts pose for compliance and explains why machine learning techniques are the only way to get actionable visibility into the contract-based data that is flowing into and out of a company. 

Businesses collecting and using customer data across the EU are preparing for the biggest upheaval in data protection law in the last 20 years. With weeks to go, The General Data Protection Regulation (GDPR) comes into force at the end of May, yet most business and IT leaders are still working towards meeting the new compliance mandate.

One of the most important changes that businesses need to be aware of is how individual rights have been affected, in respect to personal data. The GDPR is meant to give individuals more control over the ways in which businesses process their personal data, granting new rights and enhancing those that existed under the outgoing data protection regime.

In its sweeping effort to define and protect the handling of personally identifiable information, the GDPR framework defines a set of triggers for a data impact assessment. Even in cases where data use is lawful, individuals have the right to object at any time and processing must cease unless the controller demonstrates “compelling legitimate grounds” for overriding a request.

Contracts must be reviewed

Regulation and regulatory change is, in many ways, an information game. It is crucial to the GDPR readiness process, as outlined in Article 6 of the directive, to review and update existing contracts and similar templates that have data processing and privacy implications. This step, which also applies to many of the data regulations imposed on industry today such as PCI DSS and SOX, requires knowing where pertinent documents are, and what’s inside of them.

It is not unusual for an organization to have hundreds of thousands of contracts that will all need to be analyzed for GDPR-relevant clauses. Contracts that relate to the mandate must be identified so that action can be taken to support compliance itself. This means finding these contracts and going through each and every one of them to determine which ones need to be revised or re-papered, and then executing on the revised language.

The information that is pulled may include language on data breach obligations, as indicated in the contract documents, to ensure it is understood and complies with GDPR requirements. Contractual agreements with data processors, or other vendors that may come into contact with data subject to GDPR, should also be reviewed for clauses that define their scope.

If this is not enough, the GDPR says that a complaint process must be in place to ensure all new contracts are handled properly. Heaven forbid a single contract goes unnoticed that doesn’t have the proper indemnification language in it, and suddenly the company is at risk.

Technology drives compliance

It’s important to note that GDPR will be an ongoing process, not a one-time data fix. For many companies, getting into compliance requires employing armies of reviewers to read through each contract, flag and prioritize it for remediation. It’s a costly process that is inefficient, typically stretching out over weeks and often months, and unavoidably prone to error.

Especially at the enterprise level where thousands upon thousands of items must be reviewed, companies are also using analytics as a way to discover the contractual documents that apply to the GDPR, and to understand what terms are contained in them so they can be properly processed and brought into alignment.

Artificial intelligence is in many ways a game changer in that it has taken this activity out of the costly, unreliable domain of manual processing. Automated platforms using AI can be pointed at the various places where contracts and agreements are suspected to reside, identify them and go to work using a series of algorithms that make them easily classified and searchable.

The latest AI-powered, insight tools can be taught to correspond to both the direct requirements and the indirect implications of the GDPR. For example, the GDPR stipulates that data impact assessment called a DPIA must be conducted for certain types of data processing. Although not necessarily required, by implication, a well-drafted contract also will address items such as the frequency of the DPIA and whether the assessment must be conducted by an independent party.

Machine learning is the key

The long list of topics that must be addressed for compliance according to the terms of the GDPR will keep business leaders awake at night. Familiar and ubiquitous contractual terms spanning subcontracting of data processing and indemnification of data events to force majeure, data processing agreements, termination of rights pertaining to a data event, limitation of liability, and a host of other contractual subjects are specifically under GDPR oversight.

Seal Software has found that companies without clarity into contracts and similar documents often flounder when handling these very topics. One way the Seal platform addresses this is by using an AI method called machine learning to search contracts using refined policies of relevance to GDPR, such as contractual terms or clause combinations.

Particularly for organizations with contracts and other fragmented data sitting across multiple silos and owned by different business units, but lacking a complete enterprise view, machine learning techniques are the only way to get actionable visibility into the contract-based data that is flowing into and out of a company.

The imperative is to put real power into hands of those who need reliable information to make smart, strategic decisions about the GDPR, and with enforcement right around the corner, the time to act is now.