Pilot 1. Compliance Assurance Services in Data Protection

Motivation

Privacy and data protection are more and more becoming a core element in legal and regulatory compliance. In a Digital Single Market the processing of personal information does not only affect large corporations, but also SMEs. The General Data Protection Regulation (GDPR) harmonises data protection regulations throughout the EU, introducing substantial changes over the existing framework and strengthening the rights of individuals within the European Union. This Regulation will enter into force in May 2018 and it will have a far reaching impact for organisations throughout the world. Granting compliance with the GDPR is a business-critical activity for every company handling personal data and cannot be dismissed. Under Art. 83, organisations suffering a data breach can be fined with the greater of up to 4% of their global turnover or € 20 million.


The GDPR foresees an extensive interaction of the regulatory statutory framework, private contracts, standard contract clauses, and codes of conducts:
 GDPR: The complex and extensive text of the GDPR is the mandatory legal basis, which has to be understood by SMEs in order to be applied correctly.

  • Contracts between a company (controller) and an affected person (data subject): Processing of personal data requires a written agreement, using clear and plain language (Art. 7).
  • Contracts between a company (controller) and a subcontractor (processor): Processing requires written agreements between the controller and the processor (Art. 28).
  • Contracts between a subcontractor (processor) and another subcontractor (processor): Another written agreement is required as well as the authorisation of the company (controller) (Art. 28)
  • Standard clauses: Supervisory authorities may adopt and suggest standard contractual clauses to SMEs (which should be ideally used by companies for compliance) (Art. 28).
  • Data processing register: Controllers and processors alike have to maintain written data processing registers, documenting their activities (Art. 30).
  • Additional Union and Member State provisions: Companies have to monitor compliance with the GDPR and “other Union or Member State data protection provisions” (Art. 39).
  • Policies of controllers and processors: Companies have to monitor compliance with policies of controllers and processors (Art. 39)
  • Codes of conduct: Companies have to monitor codes of conduct provided by the Member States, the supervisory authorities, the Board under the GDPR and the EU Commission for an appropriate application of the GDPR.
  • Judgements by the Member States and the European Court of Justice: Companies have to monitor judgements related to data processing, not only on a European level, but also on a national level.
  • Other legislation referring to the GDPR: Data protection is not subject to the GDPR alone. A growing number of other national and European provisions (regulations, directives, national acts, etc.) refer to the GDPR (or currently to the Data Protection Directive). Such referring provisions have to be monitored by companies as well, depending on the business they are doing.

Consequently, this will result in a high number of data protection related legal documents and texts. Such texts may be public (GDPR, Member State provisions, codes of conduct, standard clauses, published companies’ data protection policies), shared (contracts) or closed/internal (internal policies). In any case, it will be a challenge for companies (especially for SMEs with limited legal resources) to monitor the regulatory legal framework, their private commitment and their compliance with such data processing obligations.

Objectives and proposed solution

The objective of this business case is to enhance compliance with data protection obligations through automation, thus reducing costs, corporate risks and personal risks. The prototype created in Lynx will actively monitor and analyse data processing related legal documents:

  • Public regulatory data protection framework (including data protection legislation and case law from the EU and Member States, public provisions and suggestions by authorities, etc.)
  • Private data processing contracts (including contracts between controllers/data subjects/processors, data processing policies of companies, general contracts which may include data processing clauses)

The system will actively inform companies, persons in charge (directors, managers, data protection officers, etc.) or the company’s lawyer(s) about whenever there is a change in relevant legislation, case law, or in contractual obligations (with data subjects or processors) that affects a company’s data protection obligations, even across different jurisdictions and languages (see Recommendation and Alert Service in Section 1.3.5). In addition, Lynx will support interlinking between these legal texts (see Linking Service). Also, the system will be able to identify (standard) data processing clauses in general contracts (see also Extraction and Semantic Annotation Services).
In order to reach this objective, Lynx will:

  • (i) create an initial knowledge base around data protection by manually and automatically collecting possibly relevant documents;
  • (ii) provide surveying algorithms to automatically enlarge the knowledge base with new relevant documents from sources like Eur-Lex, BOE, etc.;
  • (iii) provide algorithms using interlinked terminologies to automatically link the knowledge base documents to other documents within or outside the knowledge base; a legal knowledge graph will be built as result of this activity;
  • (iv) offer a web interface to search, browse and comment the documents in the legal knowledge graph. Lynx will feed into the existing openlaws.com platform, operated by OLS.

The platform to be developed will differ from existing legal document repositories in several aspects: (i) the comprehensive collection of relevant data protection documents; (ii) the inter-linking of legislation, case law, public documents and private contracts, and policies; (iii) the inclusion of references relevant to multiple jurisdictions (EU, AT, DE, ES, IT) and languages.