Legal View

Law firm launches chatbot to explain GDPR

Norton Rose Fulbright has unveiled a chatbot that addresses questions related to GDPR.
Norton Rose Fulbright has unveiled a chatbot that addresses questions related to GDPR.

Law firm Norton Rose Fulbright has introduced a chatbot powered by artificial intelligence that responds to inquiries on the imminent European Union (EU) data protection law the General Data Protection Regulation (GDPR).

The GDPR, which will come into effect on 25 May 2018, is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU.

The regulation was adopted in April 2016. Fines of up to EUR20 million or 4% of the firm's turnover (whichever is greater) can be imposed for the most serious data protection offences.

The chatbot, named Parker, helps companies in non-EU jurisdictions (including SA) to determine whether GDPR applies to their business, says Norton Rose Fulbright.

The chatbot uses natural language processing has over 1 000 conversations. It will answer a wide variety of questions non-EU companies may have on GDPR, including whether the data protection law applies to their business and what activities the rules cover, it says.

Parker first helped businesses to respond to a major change in the Australian data protection notification regime that came into effect on 22 February, says Norton Rose Fulbright.

Kerri Crawford, senior associate for Norton Rose Fulbright's Johannesburg office, created the GDPR chatbot in conjunction with the firm's European data protection team.

"Following the successful launch of Parker to address clients' questions on the new Australian data protection notification regime, we wanted to examine the scope of the new EU GDPR: a subject of huge concern to businesses worldwide and which will take effect imminently," says Nick Abrahams, Norton Rose Fulbright global head of technology and innovation.

"For South African organisations, if the GDPR applies to you, consider how you can combine your GDPR and Protection of Personal Information Act compliance programmes, as many of the requirements are similar (although there are some differences). Combining your compliance programmes will save you time, effort and money," says Crawford.

GDPR is set to become the standard benchmark for data protection, says law firm Michalsons. A company might not actually have presence in Europe, but if it processes any data of EU citizens, then it will have to take into account the GDPR. It might even be more important for that company than the Protection of Personal Information Act (POPIA).

EU countries not GDPR-ready

Meanwhile, Crawford says certain European states are more prepared than others. The European Commission in January said most EU member states had not yet passed the national legislation necessarily to bring the laws of each country into line with the GDPR, she adds.

Research firm Gartner predicts fewer than half of all companies affected by GDPR will not be in full compliance by the end of 2018.

"The GDPR will affect not only EU-based organisations, but many data controllers and processors outside the EU as well, says Bart Willemsen, research director at Gartner.

"Threats of hefty fines, as well as the increasingly empowered position of individual data subjects tilt the business case for compliance and should cause decision-makers to re-evaluate measures to safely process personal data."

It's unclear just how strictly GDPR, which EU nations adopted in 2016, will be enforced at the start, says Reuters.

Many observers expect regulators to take a forgiving approach and give companies time to get their systems in order, reserving harsh penalties for large firms that egregiously fail to comply, it says.

There has been unprecedented development of data protection and data privacy around the world, which can create serious challenges for companies, says Sharon van Rooyen, Africa leader for fraud investigation and dispute services at EY.

"Regulations such as the GDPR and POPIA are a direct response to these challenges. In South Africa, the soon-to-be-enacted POPIA is one such example. However, businesses that make use of forensic data analytics technologies to manage legal, compliance and fraud risks will be better able to mitigate risks while increasing business transparency."

To chat to Parker click here.

Have your say
Facebook icon
Youtube play icon