Complying with GDPR and How Software Can Help
by Melissa Smith
August 1, 2018
For many, it has been difficult to keep up with the evolving public policies surrounding internet data privacy. However, the last several years of the ‘Digital Age’ have proven that all online personal data — defined as any information relating to an identifiable human being – is vulnerable to hacking and, more alarmingly, to weaponization and misuse. “Personal data” can include anything from email addresses, credit card numbers, mailing addresses, personal photos and published writings to information about political and religious affiliations.
In an effort to protect consumer data, the European Union passed the General Data Protection Regulation, better known as the GDPR, in April 2016. These new rules require companies and organizations to safeguard all of the consumer data they collect. The EU started implementing the regulations in May 2018, leaving businesses that are not currently compliant liable for penalties. The potential cost of non-compliance is up to 20 million EUR, or 4% of an organization’s revenue. For law firms whose clients trust them with sensitive information, being charged with non-compliance, or worse yet, experiencing a breach of their clients’ sensitive data, could also greatly affect the company’s reputation.
The challenges related to complying with GDPR requirements have quickly multiplied for law firms. Law firms collect a lot of sensitive data, oftentimes keeping this information in hardcopy format. Under GDPR, if a client requests access to their personal information, a firm would only have 30 days to comply. Without a pro-cess for handling personal data, managing hundreds of requests is an intensive, manual task.
How does a firm make sure it’s operating in accordance with all the rules and regulations? Thankfully, there are ways to leverage advanced analytics to comply with GDPR relatively simply and efficiently. Here are the basics of what every business owner and CEO need to know about GDPR compliance:
Why do law firms need to comply with GDPR?
All companies selling to, storing, or processing information about European data subjects are required to comply. In addition, any international company with business ties to the European Union needs to comply.
Some unsuspecting US enterprises have been surprised to discover GDPR compliance exposure because their public website has allowed European data subjects to leave names and other personally identifiable information (PII), or that their licensing servers have been collecting IP and MAC addresses from European company servers.
GDPR defines roles such as data controllers and data processors. Data processors are in charge of the data processes of retrieving and organizing data and can often be a third party. Data controllers receive the data and are responsible for the storage and use and proper maintenance of personal data received from the processor. For example, a controller could be any law firm, while a processor could be an IT firm doing the actual data processing(1).
What types of Personally Identifiable Information (PII) are protected?
A wide range, including basic identity information such as name, address and ID numbers; web data such as location, cookie data, IP & MAC addresses; health, biometric, genetic, racial and ethnic data; religious or political affiliation; age; and sexual orientation.
Are most business already complying?
No! Only a small number of data controlling and processing enterprises are prepared to comply with the GDPR. An estimated 85% of affected organizations were not ready when GDPR took effect in May(2). Compliance rates are lowest in finance and healthcare industries, while only 47% of law firms are fully prepared(3). Due to the sweeping scope of GDPR, compliance efforts will be ongoing and long-term across industries.
How can advanced analytics software help an organization comply?
A key step in becoming GDPR compliant is knowing all the personal data a law firm has in all file formats. A typical law firm will do one or many of the following: use word processors to write up case documentation or notes, communicate about sensitive matters with their clients or team members through email or chat tools, take down handwritten notes in journals or on paper documents and record important conversations in audio files. The challenge is that all of these are unstructured data files. With the right technology, it’s easy to identify different data types, organize and extract the relevant information.
Technology, by itself, is not a solution for all GDPR compliance regulations. However, using technology in conjunction with a process to automate PII identification, as well as extract and report data, can make the compliance process much simpler.
Organizations can and should use software to get control of their unstructured data. They are well-advised to use an analytics solution that allows them to create reports based on all their relevant enterprise data.
The most precise way to identify and extract GDPR entity types is to use linguistic-based Natural Language Processing that properly identifies all the compliance terms and phrases using dictionaries, local grammar sentence analysis and statistical-based extraction algorithms.
Dictionaries can find known GDPR entities by category (i.e. social security numbers, patient ID numbers, IP addresses, etc.) Linguistics software puts all of that initially unstructured data into a structured format. Entities like people, organizations, locations and dates (and relevant facts and terminology about each) are easily searchable and reportable with the right software.
This technology can be used to search for, find, extract and report on GDPR entities. For example, ayfie Supervisor (a type of linguistics software) allows users to:
- Connect and collect from across enterprise to a central index
- Index and analyze via a structured model of all the unstructured content
- Create relationships among all the entities and PII and classify it by type
- Search and report Management User Interface
- Schedule daily or weekly reports
- Archive past reports
For organizations scrambling to find ways to efficiently comply with GDPR requirements, employing linguistics software is an excellent first step.
How can a company implement this type of software?
As noted before, no single piece of technology or software can make an organization GDPR compliant. Law firms should consider partnering with a managed service provider to help audit where personal data is stored and implement the business technology solutions needed to ensure compliance.
A managed service provider helps clients to become GDPR compliant by leveraging the optimal mix of IT, data and document security solutions, text analytics and data transformation platforms in an ongoing managed services model. They will work together to comprehensively assess an organization’s technology infrastructure and strategy, ensuring its security and the advancement of the organization’s goals.