GDPR Compliance - After consent, check your free comment areas

Does your GDPR compliance plan include open-ended comment fields? They are indeed a source of unstructured and potentially risky data collection. Don't panic, thanks to natural language recognition, you can automate certain tasks and thus better control the risk arising from free-entry fields.

Why prioritize the GDPR compliance of your free-form comment fields?

You are in charge of your company's GDPR compliance and you also face the exponential growth of internally processed personal data. You may have prioritized first consent management issues, since it is the legal basis of client data processing. Perhaps you have prioritized the review of consent paths? The legal basis of processing is indeed the very condition of the existence of your databases. You may then want to a have a quick look at the free comment zones.

Personal data is growing exponentially

The volume of personal data collected and stored by companies is increasing significantly due to a number of factors.

• The information collected by a company is mostly unstructured data**, which is not directly exploitable within the framework of traditional computer processing (contracts, estimates, invoices, notices, etc.)
• Relevant information can also be found on new online media (e-mails, social networks, discussion forum messages, etc.)
• Internal tools** and forms sent to customers (satisfaction questionnaires; contact forms) often include free comment zones (FCZ).
• Internal databases are enriched by acquisition from third party sources: data brokers, open data...
• New technologies for massive data collection are coming to the market and are used to collect more data on users (drones, connected objects, etc.). This volume of data makes manual control impossible.

Consent, the prerequisite to secure your databases

A personal database can only be used if it has a legal requirement, most often the consent of the people concerned. Without this, the processing has no legal existence and the data collected may be deleted at the request of the regulator. The review of the processes for collecting consent is therefore a priority action for you, especially since they are easy for the CNIL (Commission Nationale de l'Informatique et des Libertés) to audit. It is indeed about:

• On online or paper forms, the checkboxes for collecting consent allowing you to send commercial prospecting operations. On this subject, the CNIL has published practical sheets.
• On websites, a consent interface for the use of advertising, social or personalization cookies. This subject is now outlined by a 2019 CNIL decision as well as by a recommendation on consent modalities, currently under development.

Free comments... when your employees say too much

What if free comment areas were your next priority? In order to digitize their activities, the various departments of your company are equipping themselves with new tools that frequently include free fields. These fields allow you to fill in additional and useful information about:

• your customers (CRM)
• your company's employees (HIRS, payroll software, ERP)
• recruitment candidates (CVthèques).

But they can also lead to mistakes, in particular the seizure of unnecessary sensitive data or even illegal comments because they are insulting or defamatory. The CNIL is very interested in this issue and the complaints that it generates. The persons concerned can indeed access these comments when they exercise their right of access to their personal data.

For companies controlled by the CNIL, the consequences are real: formal notices, public sanctions, impact on the e-reputation, etc. To avoid this, you nee to monitor those sections. Manual moderation would be too demanding in terms of internal resources but automation is possible.

How to automate the GDPR compliance of your free comment areas?

It is possible to accelerate and simplify your GDPR compliance. To do this, first determine the actions to be taken. Many tools facilitate the automation of repetitive tasks. Natural language recognition in particular will simplify the moderation of free-form fields.

Identify the compliance actions to implement

You will need to audit the data already collected and review the processes in place to avoid future collection of problematic comments. Your action plan will therefore include the following tasks:

• Identifying internal tools that allow for free-form data entry
• Disabling any unused fields to reduce risk
• Auditing existing comments and moderating inappropriate or illegal comments
• Raising awareness among employees who use these internal tools and disseminating best practices on how to use input fields.

AI and plug and play: automate your compliance

The General Data Protection Regulation (GDPR) is applicable to all personal data processing implemented by all departments. This includes free comment areas. It therefore requires the fulfillment of numerous legal obligations in terms of data protection by the data controller.

Fortunately, this does not require that you allocate massive amounts of human resources either in your business or compliance teams.

Many solutions that industrialize processes and automate the execution of repetitive tasks are available. They come in the form of turnkey tools and plugins that are easy to implement on your websites and tools:

• Personal data classification tools
• Collaborative registers of data processing applied in the company
• Preference management centers that handles requests to unsubscribe from commercial mailing lists or certain GDPR rights (portability, access, rectification of data, etc.
• Cookie management modules
• Automatic audit tools for website and mobile application compliance
• Chatbots and e-learning tools for employee awareness
• And more

NLP to automatically analyze your free fields

Natural Language Processing (NLP) allows for the computer analysis of free-form comment fields and their understanding by machine. Beyond the simple detection of keywords, NLP also allows the understanding of, for example, turns of phrase or idiomatic expressions.

The machine is thus able to detect risky texts and assign them a categorization which corresponds to a task to be performed.

• It will scan existing comments to detect problematic text.
• It will simplify team awareness by providing live moderation of any new comments added. Non-compliance alerts can then be distributed to customer advisors, whether internal or outsourced, to people in charge of personnel management or payroll.

A content analysis module can be integrated into your CRM and other HRIS software. Simple tasks are delegated to the machine, like issuing alerts on a comment, or possibly blocking the use of certain types of words during input.

Your teams in charge of moderation save time. They will be solicited in a more relevant way, only on comments that pose a problem.