One of the most vexing problems for organizations is mitigating GDPR compliance risks when dealing with third parties, particularly the nature and extent of obligations between data controllers and processors.
By virtue of the GDPR accountability principle, organizations are required to adhere to the six fundamental principles of safeguarding privacy rights that impact the collection, processing and disposition of personally identifiable information. These obligations extend beyond the walls of an organization to third parties that process personally identifiable information. Also, GDPR provides for a broad definition of processing and imposes stringent requirements on organizations that engage third parties to process personally identifiable information.
Processing is defined broadly to include any operation, including data transfers and transmissions to third parties. Under Article 28 of the General Data Protection Regulation controllers must only appoint processors who can provide “sufficient guarantees” to meet the requirements of the GDPR. Failure to may subject both data controllers and processors to administrative fines or other sanctions and they may be liable to pay compensation to data subjects.
The relationship between data controllers and processors must be defined by a contract which “sets the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller.”
The Article 28 Data Processing Agreement must incorporate specific provisions:
Personal data must only be processed on documented instructions from the controller;
Full compliance with Article 32 relating security of processing personally identifiable information, including technological and organizational measures to safeguard the confidentiality, integrity and accessibility of personal data.
Undertaking to assist the controller in ensuring compliance, including auditing processors compliance readiness and facilitating request from Data Processing Authorities;
Deletes or returns all the personal data to the controller after the end of the provision of services relating to processing;
Compliance with data subject requests under Chapter 3 of GDPR, including transparent information communication within the required 30 day period, rectification, erasure and right of data portability; and
Data Breach notification obligations under Article 33 of GDPR.
These onerous compliance obligations notwithstanding, research indicates that an overwhelming majority of organizations surveyed lack confidence in third party risk processes. The principal bottlenecks that appear to preclude data controllers to have greater visibility to processor risk are:
Data Discovery: A recent survey found that for 71% of organizations identification of data sources and their location is their primary challenge. Digitization of all incoming data, such as third-party paper is an essential step in the data discovery process. Such data may be received in various formats and channels – paper, fax or Email. Application of intelligent document capture based on full page OCR, ICR, Searchable PDFs and Text Analytics of large volumes of incoming documents may be analyzed and personally identifiable information may be automatically extracted and classified with a high degree of accuracy.
Once data is digitized the next step in the data discovery process is identification of all information repositories that may contain personally identifiable information. This is not a trivial task. Often organizations simply do not have visibility to their information holdings. Information may be located in file shares, emails, in distributed content repositories, in antiquated archival systems and file cabinets. It is hard to manage the abundance of data in all these disconnected systems, and a lot of time and effort is spent on locating the right document.
On top of that, there are multiple different interfaces within these systems, slowing user adoption, and decreasing efficiency and productivity. Through the implementation of a normalized metadata layer disparate repositories may be searched from a single user interface and personally identifiable information surfaced, classified and integrated with applications that process such data, thereby ensuring compliance with Article 28 of GDPR.
Contract review: Data Controllers and Processors have a legal obligation to establish contractual agreements between them that must include terms that define the roles, responsibilities and liabilities of both parties and which adheres to the provisions of Article 28 of GDPR. The application of contracts analytics software enables organizations to automatically identify and extract entities from contracts, surface potential gaps between GDPR provisions and the existing Data Processing Agreements, perform clause by clause comparisons and remediate potential gaps.
Using advanced machine learning and AI technologies the contract review process may be accelerated and tedious human review processes minimized thereby enabling legal staff to focus on more higher value tasks associated with compliance obligations: “AI software can easily extract data and clarify the content of contracts . . . It can let companies review contracts more rapidly, organize and locate large amounts of contract data more easily, decrease the potential for contract disputes. . . and increase the volume of contracts it is able to negotiate and execute.” “How AI Is Changing Contracts” Harvard Business Review, Feb. 12, 2018; and
Continuous monitoring: Continuously monitor your third party agreements and their subcontractors to surface potential data privacy risk, including gap analysis to assess the current state of data protection rules and identify how data is flowing and used by third parties and their subcontractors.
According to the PwC Pulse survey, 68% of US organizations surveyed said they would invest between $1 million and $10 million on GDPR related compliance initiatives and assessment of the efficacy of data discovery tools with a total aggregate forecasted spend of $7.8 billion. And where is the spend? The EY-IAPP report shows that the focus 57% are investing in privacy enhancing technologies that span on digitization initiatives, data discovery and machine learning technologies that streamline highly repetitive and error-prone GDPR compliance processes.
The investments in privacy enhancing best practices and technologies should not be considered as a cost of doing business but rather a strategic investment that strengthens your brand, minimizes disruptions to your business processes and fosters customer loyalty.