GDPR 2018: Are you on the right side of the law?

By Priya E. Abraham
Interview with Leftshift One

Learn from a tech startup the steps you need to take to protect your customers’ privacy and your brand reputation. Understand how you, too, can exceed customer expectations beyond the tick-box compliance.

Any organisation required to implement General Data Protection Regulation (GDPR) is presented with a number of duties and obligations they must fulfil for compliance.
 
Here are the selected key duties:
 

• Ensure data protection by design and by default
• Provide for security of personal data
• Guard the rights of EU customers - understand lawfulness and consent
• Demonstrate accountability and compliance

 
For practical relevance, I share my hands-on expertise from Leftshift One, a tech start-up specialising in the development and implementation of digital assistants. I had the distinct pleasure of working with Leftshift One in implementing the GDPR measures, and in this post, I share some of the insights I gained via an interview with Leftshift One.

Leftshift's technology, among other technologies on the Gartner Hype Cycle for Emerging Technologies 2017, enjoys an unprecedented popularity, particularly, in customer engagement (first level customer support). This is especially true when the use cases can be monetised, quality of the language recognition is high, and the user experience is positive.
 
Leftshift One’s unique approach features a rule-based language model for speech recognition, which allows them to operate in an ecosystem (on premise or private cloud). Most impressively, they managed to develop this for the German language, whose syntax is much more complex than English.
 
To gain more insight about the company and its approach to GDPR compliance, I asked Leftshift One for their insights.
 
Priya: What are Leftshift One's primary focus?
 
Leftshift One: Our primary focus is on linguistic dependency analysis; machine learning is secondary. I would add that we also focus on the business value for the client or use case. For example, a digital tourism assistant should not be used for processing pizza orders. Our Generic Artificial Intelligence Application (G.A.I.A.) can be employed instead on the internal system of the customer, i.e. on-premise, to create digital assistants. These digital assistants are customisable to meet the specific needs of the customer.
 
The advantage in G.A.I.A. is not only savings of energy and resources, but also in the software or the Smart Digital Ecosystem. At Leftshift One, we refrain from using external service providers such as Google, Microsoft, Facebook, etc., (i.e. NLP, NLG or Build-a-Bot service providers). As a result, we can guarantee data security even in a private cloud operation. This combination of data security and our own NLP service (what we call ATLAS) allows us to offer the customer an on-premise solution, which by default is GDPR-compliant.
 
Priya:  Obviously, this is a great starting point to leverage Article 25 Data protection by design and default as the startup simply does not rely on the use of big data.
 
Leftshift One: Yes, exactly.

Ensuring Data Protection by Design and Default

Priya: Let's talk about privacy by design, the guiding principle of the GDPR. Data privacy for individuals should be the default action and should be designed into all organisational and technology processes from the ground up.
 
How have Leftshift One implemented Data protection by design and default?
 
Leftshift One: We were already preoccupied with this topic before development of the solution. The principles of the GDPR are not new; they have too often been ignored. We knew that a GDPR-compliant solution was urgently needed in this area for the European market. That's why we decided to provide our customers with a solution that complies with these principles. Our clients are both software integrators who create digital assistants for their clients as well as customers who need a digital assistant directly from us.
 
Since the machine-learning approach requires a lot of data (what many refer to as big data) to deliver a high-quality result, we are now working on finding an alternative solution. We knew there had to be a solution that did not need endless amounts of customer data. By combining our machine learning approach with an artificial neural network and linguistic dependency analysis, we were able to achieve high-quality results for our clients and customers. This smart approach to technology is cost and energy efficient, affordable and customisable.
 
In addition, we encrypt any communication between assistant and customer or save data encrypted, without exception. The data is used exclusively by the algorithms - we ourselves have no knowledge of the content.
 
Since we have committed ourselves to data protection even before the development of our software solution, we are pursuing the concept of Data Protection by Design and Default. 

Providing for the Security of Personal Data

Priya: Arguably, the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR. Especially since it applies to all companies processing the personal data of data subjects residing in the Union, regardless of whether the company’s location is in the European Union. For this reason, it is essential that organisations must understand the concept of personal data. If you collect, store, or use any of the following: name address, localisation, online identifier, health information, income, or cultural information, then you have to abide by the rules.
 
The GDPR requires you to maintain records of the type of data you hold, where it came from and with whom you share it, all of which requires documentation.
 
How do Leftshift One provide for the security of personal data?
 
Leftshift One: Again, we chose the Data Protection by Design and by Default approach. As we already mentioned, we encrypt our data and have no knowledge of its content. Only the algorithm of our Cognitive Language Understanding Service, ATLAS, knows the content. However, a categorisation of the collected data must be made and documented. The Cognitive Language Understanding Service, ATLAS, processes the text even after the conversion of Speech2Text and categorises it automatically.
 
The integration code shows which data is processed and to which category it belongs. This means that we automatically know with each conversation what data is processed without knowing the content.
 
Of course, this is only possible if you both rely on a rule-based translation concept and make this connection.

Guarding the Rights of EU Customers

Priya: The GDPR enhances the rights of data subjects in the EU. The GDPR includes individual rights: to be informed; to have the right of access; to have the right to rectification; to have the right to erasure; to have the right to restrict processing; to have the right to data portability; and the right to object; and the right not to be subject to automated decision-making including profiling.
 
This means that your EU customers have the right to request access to and erasure of their information. In addition, you need to provide them with easier access to personal data, with clear and easily understandable information on processing. Making this information available gives your customers insight into how their information is used.
 
You will have to report data breaches to regulatory authorities within 72 hours, and in high-risk scenarios, to follow this reporting by notifying the individuals whose data may have been compromised. All data must have appropriate technical and procedural measures to ensure a level of security appropriate to the risk that it carries.
 
The conditions for consent have been strengthened. Under the GDPR the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Consent has strict requirements, including the fact that it can be withdrawn at any time.
 
How do Leftshift One guard the rights of EU customers?
 
Leftshift One: We need to differentiate between two types of personal data. The ATLAS service stores the data in an encrypted form and after each conversation the personal data of the session are deleted or are deemed irrelevant, i.e. the result of the digital assistant. Data is discarded or not stored. We do not store personal data in the system. Leftshift One are not interested in the data since we do not need it for processing.
 
Certain business cases, however, may require encrypted personal data to be stored. Let's take recommendation marketing, for example. In this case, the digital assistant asks the end user for permission.
 
Here's an example: The customer orders a pizza. ATLAS only translates the instructions. ATLAS now informs the service provider, who organises the order of the pizza, (i.e. the customer's request). The service provider himself has the personal data to initiate an order. John Doe, with his place of residence, credit card information, etc., is not necessary for the service fulfilment in the ecosystem.
 
However, if there is an explicit need to store personal data in order to automatically make recommendations, for example, the data will be stored in an encrypted form after the end user has given their consent. This personal data stored can be requested, corrected or deleted by the end user. Storing data, encrypting it and ensuring it is accessible requires a lot of effort but we do it because we value data security.
 
For both partners and customers who use our digital ecosystem, we rely on an established partner or expert for knowledge management, process management and CRM: Atlassian Confluence and Jira. Our solution is GDPR-ready by default and in compliance with the standards.

Demonstrating Compliance and Accountability

Priya: As entrepreneurs, you should expect regulators to potentially exercise their powers to access data and premises. They should also be able to demonstrate compliance with the GDPR principles relating to personal data. Mechanisms to assist with providing this proof include carrying out Data Protection Impact Assessments (DPIAs) and adhering to codes of conduct.
 
As explained earlier, the GDPR makes privacy by design and default an express legal requirement. It makes DPIAs (formerly known as Privacy Impact Assessment or PIAs) mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
 

• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect individuals; or
• where there is processing on a large scale of the special categories of data.

 
How do Leftshift One demonstrate accountability and compliance?
 
Leftshift One: The HG3 startup hub, where Leftshift One is located, includes diverse experts from the tax, business consulting, legal and other industries. This startup hub has been Leftshift One's partner since its inception and also supports the company in matters of data protection.
 
In addition to checklists of data protection, we have implemented another proof already in the development process. These are user stories which contain not only the description of the functionality but also acceptance criteria, test cases or non-functional criteria. We now have an area for specifying data protection criteria for each user story. These criteria are reviewed twice in total.
 
The first review will take place as part of the "Definition of Ready (DoR) Review" before a user story is implemented. This is when the development team examines whether it can be implemented in compliance with data protection or what is necessary to ensure data privacy compliance during implementation.
 
The second review will be done as part of the "Definition of Done (DoD) Review" after the functionality has already been implemented. It ensures compliance with data protection requirements.
 
As a result, the risks related to the GDPR have already been identified and mitigated during the development phase.

Success Factors at a Glance

Leftshift One successfully leverage a holistic approach to creating a culture of privacy that goes far beyond the compliance requirements that many companies pursue. This approach is an integral part of a network of specialists essential to the creation and establishment of a culture of privacy. Together, we have developed an innovative, GDPR-compliant technology and have applied continuous feedback loops along the entire value chain beyond agile software development. In addition, we have voluntarily appointed a Data Protection Officer to represent them on privacy issues.
 
Leftshift One have seized the golden opportunity to build valuable and trust-based relationships with their clients through increased privacy, during this challenging growth phase.

Subscribe to Newsletter