In most areas of the world, legislative rules and regulations for how companies must protect and manage personally identifiable information (PII), such as passport, credit card, banking and healthcare information have been in force for many years. These laws however have been inconsistent and varied widely in the level of data protection they mandate, but this hadn’t been a major concern as breaches of PII were relatively rare.
However, in recent years, the amount of personal data stored digitally by companies and governments has grown dramatically, prompting regulators to re-think and tighten their requirements for organisations. This explosion of digital PII data is the driver for the new General Data Protection Regulation (GDPR).
GDPR is a comprehensive set of new rules that mandate how PII data must be managed, not just for European companies, but for any company doing business in Europe or with European customers. GDPR becomes enforceable on 25 May 2018, and penalties for non-compliance are significant, including fines of up to 20 million euros or 4% of annual turnover for certain offences.
Companies are now scrambling to set up and implement GDPR compliance initiatives. A recent survey published by the Information Commissioners Office indicated many UK councils are underprepared for GDPR. While a YouGov survey identified only 11% of organisations have systems in place to ensure compliance. So, let’s take a look at how companies can start to prepare for this new regulation.
How does contract data play a role in compliance?
While GDPR includes a variety of components addressing the processing and management of PII, the extraction and analysis of data within contract documents plays a very important role in compliance. That includes understanding where PII might be hidden, particularly if it is buried deep within contract documents; ensuring data breach obligations, as indicated in contract documents, are understood and comply with GDPR requirements; and confirming contractual agreements with data processors or other intermediaries that may come into contact with PII have the appropriate clauses and a defined scope.
The first challenge with GDPR compliance is dealing with the untold amounts of data that is hidden in unstructured content, and possibly within unsearchable documents stored as image formats, across an organisation. If this data includes sensitive information such as payment information, passport information, health information, or other PII, it needs to be identified.
Once this information is found, an organisation can extract the data, protect the data, and process it in accordance with GDPR mandates. It must also establish contracting processes and systems which will comply with GDPR rules in the treatment of PII on a go-forward basis.
Ensuring data breach obligations comply with GDPR requirements
The goal of GDPR is to reduce or prevent exposure of sensitive personal information in the event of a data leak, but it is almost inevitable that a breach will occur, so preparation becomes key. The second aspect of contract data that applies to GDPR compliance is language in contracts which describes what constitutes a data breach, and what the specific obligations and legal rights are in the event of a breach occurring.
The definition of a breach is a bit vague, but is considered to occur if the breach may “result in a risk for the rights and freedoms of individuals.” When there is a breach, it is important to understand the point of entrance for the breach and the obligations of all parties for notification. Did it occur through the fault of a vendor/supplier? If yes, do contracts have indemnification language allowing for compensation for any loss? Are there proper insurance clauses and coverage that covers for any loss? It’s very important to ensure these adequate protections are built into all contracts.
Notification or other obligations due to data breach are also now being mandated by GDPR rules. This means that any obligation clauses in any existing contracts are no longer valid. Obligation language should be revised in all contracts to reflect GDPR rules, and to avoid any confusion by either party in case a breach occurs.
>See also: 6 steps to GDPR compliance
Confirming third party agreements have the appropriate clauses and a defined scope
GDPR rules allows for individuals to ask if their personal data is being captured and processed, and if it is, the organisation must be able to produce copies of their personal data in electronic format. Organisations are also tasked with ensuring contracts contain provisions regarding the tasks and responsibilities of the data processor, including how and when data will be returned or deleted after processing, and the details of the processing, such as subject-matter, duration, nature, purpose, and type of data.
This presents a challenge as some of this data may come in the form of scanned documentation in an image format. Information that is currently digitised will need to be reviewed, particularly contracts with data processors. This can pose a significant challenge to organisations, as contracts of this nature are often spread across an organisation’s entire contract corpus. Organisations must go through an exercise of converting the images that contain text into searchable documentation by applying OCR technology, and finding, identifying, and reviewing pertinent vendor contracts.
Contract intelligence solutions help to alleviate some of the concerns companies have when it comes to being GDPR compliant. Using an automated contract review and analysis solution can dramatically reduce the time, cost, and disruption of scouring through documents to find PII data, and ensure a company is in compliance with GDPR.
Sourced from Christina Wojcik, VP of legal services, Seal Software