If you’ve been working toward General Data Protection Regulation (GDPR) compliance over the last couple of years, you are probably feeling like your data compliance environment is in good shape. You’ve identified what information exists, where it is and how it flows, and in the best-case scenario, you’re eliminating data silos that otherwise hamper end-to-end compliance processes. While improving these processes will continue to be a top priority, it’s time to find other ways to use these new data governance capabilities to help the business.
These days, I’m regularly being pulled into machine learning projects to offer some assurance that the personal and sensitive information pouring into these innovative applications for research and development (R&D), marketing and sales is being used in a compliant way. Certainly, good GDPR hygiene is a tremendous asset in this effort, but there is a lot more to consider when it comes to machine learning (ML).
Even as the massive, sprawling data stores used for ML projects can make enterprises more vulnerable to cyberattacks, cybercriminals are also recognizing the value of ML technology and are using it to prepare new, very sophisticated attacks. According to the ENISA Threat Landscape Report 2017: 15 Top Cyber-Threats and Trends, “The adoption of new technologies like data analytics -- eventually based on artificial intelligence and machine learning -- opens new avenues to extract knowledge out of data, thus opening opportunities for cyber-criminals to abuse big data. If cyber-crime develops data analytics capabilities, new forms of abuse will be developed.”
The solution? Legal and compliance teams must launch their own ML initiatives to combat these new cyberthreat measures.
Organizations can now build on the foundation created by GDPR processes and use ML to:
• Automatically classify data as it comes into the organization according to its value and risk. This makes it easier to maintain an evergreen data map and ensure that the highest-level security controls are in place for the more valuable and high-risk data.
• Identify irregularities and gaps during application development processes, thereby eliminating security vulnerabilities before the software is released and cybercriminals have an opportunity to break it. This would also help R&D save time and reduce costs.
• Spot characteristics of a malware or phishing attack and consolidate this information to make better inferences and correlations to stop more sophisticated breaches. Since an average organization deals with 200,000 security events per day, ML is a necessary shield.
The application of ML by legal and compliance teams doesn’t stop with cybersecurity. For example, ML is now being used to accelerate and improve technology-assisted review and predictive coding of documents, as well as to classify documents to determine whether they need to be retained or can be disposed of -- all at petabyte scale. In addition, natural language processing (NLP), a branch of ML focused on the ability of machines to understand language, is already being used to help regulators identify EU data privacy violations. Organizations should be using similar strategies to track down flaws in their own compliance efforts.
In highly regulated industries such as financial services, ML can also help reduce the cost and complexity of regulatory compliance. Most banks maintain data at the line of business level, but data definition, quality and frequency may be inconsistent across the consumer, global markets and investment management divisions. An ML application can be used to efficiently track changing regulatory obligations, expectations and control requirements across the business. Such an application can also be used to automatically monitor specific compliance requirements related to surveillance, Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) and Know Your Customer (KYC).
