Analyzing Data Privacy Risk Areas Across Agreements

The topic of data privacy has gone through several key evolutions recently. In only the last few years, the passage of General Data Protection Regulation (GDPR) in the EU and California Consumer Privacy Act (CCPA) in the U.S. have given data subjects new rights and fundamentally redefined the relationships between businesses and consumers. With those laws as precedent, new regulations are being proposed all over the world that will give consumers new rights over their personal data, and new rulings are simultaneously invalidating existing frameworks. 

As a result of those new requirements, organizations must move quickly to keep up with a complex patchwork of different international, national and local laws governing data privacy. As additional laws are passed and become enforceable, compliance becomes increasingly difficult to manage by the same old processes. Organizations have to establish new workflows to responsibly manage customer data and meet the appropriate legal obligations.

To dive into a few of these recent obligations, DocuSign hosted a webinar that discussed Four Strategies for Data Privacy Law Readiness webinar. No single action will guarantee compliance with the existing series of laws, let alone ensure compliance with the complications introduced by future laws and amendments. Instead, businesses need to focus on agile compliance strategies that will streamline necessary actions. In this post, we’ll explore one of those strategies—risk analysis—in depth. To read more about the other three key strategies, download the Four Strategies for Data Privacy Law Readiness ebook.

Analyzing data privacy risk areas across agreements

Agreements evolve over time. Any time there’s new regulation that impacts data rights, it’s important for organizations to dive into existing agreements and see how the language stands up in light of the new guidelines. When legislation or court rulings change privacy laws on a broad scale — like GDPR or CCPA — businesses need to examine existing language and use that new lens to define relationships with any relevant party: customers, regulators, vendors, partners, employees and more.

As those agreements are analyzed, there’s a series of new questions to ask. Are the terms of existing relationships still compliant? Are there now gaps in the framework set forth in the agreements? Is any party obligated to take action as a result of the new law? If so, what’s the timeline for taking that action? Here’s a quick rundown of some areas of interest that are particularly relevant to analyzing agreements regarding data privacy:

Classifications and restrictions around service providers

At the heart of CCPA is a reclassification of all organizations into three categories: businesses, service providers and third parties. To begin understanding obligations and responsibilities, organizations need to clearly identify the correct role for each party in the library of existing agreements. This is true beyond just CCPA. Successful agreements will clearly identify roles and relationships of every party involved. Once that analysis has been done, there needs to be additional clarification around what services are provided and the restrictions/obligations for each party to ensure those services are delivered correctly.

Transparency/audit rights

An important part of business-to-business relationships is diligence research before an agreement is signed. It’s imperative that an organization put privacy and security information front and center so other companies and customers can find it easily and make sure the consent and frameworks in place are adequate. Moving forward, new agreements will require audit provisions to review vendor relationships on an ongoing basis to make sure that every party is fulfilling their obligations.

Security breach provisions

During agreement analysis, organizations need to clarify details about what happens in the event of a security breach. No organization ever plans for a data breach, but they still happen and making mistakes in a post-breach response only compounds the error. There are a series of different laws that are a part of this process (especially if business is done in multiple states or countries), and compliance failures result in large fines, so it’s important to have this process thoroughly defined in paperwork. Proper agreements will specify the obligations of each party in the event of a breach, notification processes and how liability will be apportioned.

Arbitration clauses

An interesting development in business-to-consumer relationships is that companies have been including arbitration clauses in terms of service to avoid class action suits. Recently, the way that suits against companies are filed has changed, with multiple customers individually suing a company rather than a collective class action suit. That change has resulted in businesses owing millions of dollars in fees before arbitration even starts. To avoid those fees and unnecessary arbitration processes, businesses are including new language in agreements. CCPA appears to limit parties’ ability to waive the right to a private action if consumers are affected by a data breach of certain types of personal information. 

How DocuSign can help

Widespread agreement analysis is manageable, but the issue is volume. Depending on the size of an organization and the nature of its work, it could have a base of tens of thousands of agreements that need to be analyzed. It’s simply not reasonable to manually process all those documents to identify areas of impact. Even a keyword search can miss crucial risks and opportunities in that language.

DocuSign Insight is purpose-built to analyze enormous libraries of agreements. It starts by creating a central repository of searchable texts, using optical character recognition to combine documents from almost any source and file type into a single searchable library. From there, Insight uses AI to scan the text and analyze language by broad concept rather than simple keywords. DocuSign even built a data privacy Insight Accelerator to analyze agreements for this specific use case. Insight radically reduces analysis time by pinpointing and extracting exact agreement language about data privacy, company roles, customer protections in different geographies and liability, freeing up hundreds of hours of manual labor. 

To learn more about maintaining compliance with GDPR, CCPA and other data privacy regulations, download Four Strategies for Data Privacy Law Readiness.

Published