Dark data in contracts poses hidden risk to GDPR compliance

In most of the world, regulations and directives define the duties of confidentiality and security that organisations must follow to protect personally identifiable information (PII) such as credit card and banking information, vital statistics and healthcare data.

While the level of data protection they mandate has been inconsistent, until recently this patchwork of rules did not garner much attention as breaches of PII were relatively rare.

With the amount of personal data stored by companies and governments experiencing dramatic growth, it has become a commodity upon which businesses are increasingly reliant to innovate and grow, making it an especially attractive target for unscrupulous players.

>See also: General Data Protection Regulation: the BC/DR impact

Regulators have had to re-think existing policies and procedures, monitoring and auditing requirements that govern PII, and this is precisely the driver for the new General Data Protection Regulation, or GDPR, which comes into full force across the 28 countries of European Union on May 25 of next year.

The GDPR defines how customer data must be managed, not just for European companies, but for any company doing business in Europe or with European customers. It is backed by a harsh enforcement regime that penalises non-compliant controllers and processors with hefty sanctions including fines of up to 20 million euros or 4% of annual revenues for certain offences. It goes without saying that companies are scrambling to avoid the reputational and financial fallout of non-compliance.

Untold amounts of “dark data”, or data residing in unstructured content that is hidden in both searchable and unsearchable formats, poses a serious challenge as organisations around the world struggle to meet their GDPR obligations.

While the GDPR addresses the processing and management of PII, the extraction and analysis of unstructured data within contract documents has come into clearer focus as vital to meeting these required provisions.

Discovery and processing is fairly straight-forward with structured data, but dark data is far more complex to search and identify. For example, PII such as bank statements can sit on a server for decades, slowing becoming “dark” as time passes and it becomes increasingly less relevant–and therefore, less valuable–to company.

Under GDPR, data subjects have an explicit right to request a copy of his or her data and even the removal of it at a not insignificant cost in man-hours for an exhaustive search. When the same data is requested by a court and cannot be located, the costs escalate.

>See also: The General Data Protection opportunity

In fact, the entire regulatory framework of GDPR presumes organisations know exactly what data they hold, making it crucial to understand where PII might be darkly tucked away in contracts.

Once found, an organisation can extract the data, protect it, and process it in GDPR accordance. Contracting processes and systems which comply with these mandates should be established on go-forward basis, and data-protection obligations must be met as indicated in the contract documents themselves and in conformity with the GDPR.

The new EU rules use a very broad brush to impose both direct and indirect obligations on third-party data processors, such as cloud-storage providers and data centre operators, to comply with the same requirements that apply to controllers.

While previous liability was generally limited to infringement of their contractual obligations to handle personal data in accordance with the controller’s instructions, processors are now open to direct action for failure to meet the requirements of GDPR itself.

Controllers are under even greater pressure. The risks and contractual requirements for the protection of personally identifiable information with data processors and other vendors that may come into contact with PII, as well as the onus of GDPR mandates, remain primarily with the entity that controls the data. When it comes to its unstructured data, most organisations don’t even have insight into their unstructured data stores.

>See also: The real cost of new data protection laws

For example, confidential medical information may have been extracted from production systems for analytical purposes, and while containing minimal details as it goes dark, it could easily meet GDPR’s broad definition of PII.

However, getting dark data into compliance with the GDPR also has the potential to transform an organisation into a truly data-driven organisation. Reliable information contained in unstructured contract documents that is brought back into the light can be used to make better decisions, provide more efficient customer service, and reveal hidden opportunities to generate revenue from unexpected sources.

And perhaps more importantly, getting a handle on unstructured PII in contracts will ensure that it is no longer a ticking time bomb that risks both your bottom line and reputation.


Sourced by David Gingell, chief marketing officer, Seal Software 

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Dark Data
Data Protection