In most areas of the world, there are legislative rules and regulations for how companies must protect and manage personally identifiable information (PII), such as passport information, credit card, and banking information and healthcare information. These laws have been inconsistent and have varied widely in the level of data protection they mandate, but it had not been a major concern as breaches of PII were relatively rare.
But in recent years, the amount of personal data stored by companies and governments has grown dramatically, prompting regulators to re-think their requirements for organizations. This explosion of digital PII data is the driver for GDPR, or new General Data Protection Regulation being enacted in Europe. It is a comprehensive set of new rules that mandate how PII data must be managed, not just for European companies, but for any company doing business in Europe or with European customers. GDPR was adopted on April 27, 2016, and becomes enforceable on May 25, 2018, and penalties for non-compliance are harsh. They include fines up to 20,000,000 Euros or 4% of annual revenues for certain offenses, and companies are scrambling to set up and implement GDPR compliance initiatives.
While GRPR includes a variety of components addressing the processing and management of PII, the extraction and analysis of data with contract documents play a very important role in compliance. There are 3 specific areas where contract data plays a role, including:
- Understanding where PII might be hidden, in particular in the “dark data” found in contract documents.
- Ensuring data breach obligations, as indicated in contract documents, are understood and comply with GDPR requirements.
- Confirming contractual agreements with data processors or other vendors that may come into contact with PII have the appropriate clauses and a defined scope.
A serious challenge with GDPR compliance is the untold amounts of “dark data,” or data that is hidden in unstructured content, and possibly within unsearchable documents across an organization. If dark data includes sensitive information such as payment information, passport information, health information, or other PII, it needs to be processed and identified.
Seal converts unsearchable documents to a searchable format and then finds the PII within the dark data. Once found, an organization can extract the data, protect the data, and process it in accordance with GDPR mandates. It must also establish contracting processes and systems which will comply with GDPR rules in the treatment of PII on a go-forward basis.
The goal of GDPR is to reduce or prevent exposure of sensitive personal information in the event of a data leak, but it is almost inevitable that a breach will occur, so preparation becomes key. The second aspect of contract data that applied to GDPR compliance is language in contracts that describes what constitutes a data breach, and what are the specific obligations and legal rights in the event one occurs.
The definition of a breach is a bit vague but is considered to occur if the breach may “result in a risk for the rights and freedoms of individuals.” When there is a breach, it is important to understand the point of entrance for the breach, and also the obligations of all parties for notification. Did it occur through the fault of a vendor/supplier? If yes, do contracts have indemnification language allowing for compensation for any loss? Are there proper insurance clauses and coverage that covers for any loss? It’s very important to ensure these adequate protections are built into all contracts.
Notification or other obligations as a result of a data breach are also now being mandated by GDPR rules. This means that any obligation clauses in any existing contracts are no longer valid. Obligation language should be revised in all contracts to reflect GDPR rules, and to avoid any confusion by either party in case one occurs.
GDPR also allows individuals to ask if their personal data is being captured and processed, and if it is, the organization must be able to produce copies of their personal data in electronic format. Organizations are also tasked with ensuring contracts contain provisions regarding the tasks and responsibilities of the data processor, including how and when data will be returned or deleted after processing, and the details of the processing, such as subject-matter, duration, nature, purpose, type of data and categories of data subjects.
This presents a challenge as some of this data may come in the form of scanned documentation in an image format. Information that is currently digitized will need to be reviewed, particularly contracts with data processors. This can pose a significant challenge to organizations, as contracts of this nature are often spread across an organization’s entire contract corpus. Organizations must go through an exercise of converting the images that contain text into searchable documentation by applying OCR technology, and finding, identifying, and reviewing pertinent vendor contracts.
How Seal Can Help
These aspects of GDPR all require a clear understanding of PII, whether it is hidden in dark data or not. Seal can discover contracts across the network, OCR image, and non-searchable formats, and locate and extract PII data. It can also:
- Let you know if contracts have a viable definition of a breach
- Search for proper indemnification language
- Discover proper insurance language
- Extract and index data breach obligation language
- Segregate buy-side agreements from sell-side agreements and other contract type docs.
GDPR is a complex and comprehensive new regulation affecting most organizations. This is why a technology solution such as Seal is needed to dramatically reduce the time, cost, and disruption of scouring through documents to find PII data, and ensure a company is in compliance with GDPR.