
By Zita Agwunobi
Abstract
Compliance is being largely boosted and supported through automation in standardizing, efficiency, and monitoring of compliance processes with automated due diligence platforms. However, they also suffer from inherent problems of collecting large amounts of personal data, algorithmic processing of that data pertaining to privacy and security, and of a legal regulatory nature. Sensitive personal and business data can expose organizations to reputational damage, regulatory penalties, and lawsuit liability if not handled according to the law. This article explores the privacy and security risks associated with automated due diligence environments and reviews privacy paradigms and legal regimes, and recent relevant case laws, while also outlining best practice approaches to minimize exposure. It posits that while automation undoubtedly presents significant benefits to compliance functions, safeguards and robust governance are needed to protect company interests and balance efficiency with accountability.
Keywords
Automated Due Diligence, Data Privacy, Data Security, GDPR, Compliance, Algorithmic Accountability, Cross-Border Data Transfer
Introduction
The implementation of automated due diligence processes in fields such as finance, law, supply chain management and others has taken off as digitalization has captured compliance. These platforms use emerging technologies including Artificial Intelligence, Machine Learning, and Data or Advanced Analytics to automate processes such as counterparty screening, risk understanding, and the increasingly dynamic regulatory landscape. For multinational or complex organizations, the advantages of automation offer efficiency gains in significant quantities of data across jurisdictions.
However, the technology revolution does pose a large amount of risk. The due diligence process in itself contains sensitive personal and corporate information, such as financial information, ownership structures, a litigation history, and possibly even political ties. When sensitive or personal information is collected, stored, and transmitted using automated technology systems, risks arise and expose vulnerable processes to possible exploitation addressing cyber attacks or regulatory breaches when handled improperly. Other environments are drawing increasing attention on data protection mechanisms worldwide, further increasing the relevancy of this situation. (Warren & Brandeis, 2019).
This has provoked a backlash from policymakers and regulators in the form of new data protection legislation, most significantly the European Union’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA). But, as the case law illustrates, operational integrity as well as legal formality are required. The obstacle for companies is finding a way to implement privacy and security protections in automated due diligence processes without sacrificing the benefits of automation, which is the reason to adopt it in the first place.
Risks in Automated Due Diligence Platforms
Automated due diligence processes can pose risks in three main areas: privacy invasions, cybersecurity attacks, and algorithmic bias.
Intrusions of privacy may occur when sensitive personal information is collected or processed in the absence of necessary protections or without informed consent. Data captured by automated processes can be compiled from public records, tax documents, and information held by private companies and can represent vast troves of information that, when breached, can place either individuals or entities at risk for identity theft, fraudulent activity, or reputational damage (Tzanou, 2017).
And cybersecurity threats add to it. Due to the valuable data now stored, platforms become attractive targets for malicious actors . The risk of devastating compromises is increased by ransomware, insider threats, and weaknesses via third-party integrations. For example, a 2020 attack on a major legal services company revealed sensitive corporate due diligence information, highlighting the industry’s susceptibility (ENISA, 2021).
Less apparent but no less important are algorithmic risks. Automated due diligence commonly uses risk-scoring models that can unintentionally entrench bias or predictions based on incomplete datasets, inherited bias from training data. While this also creates ethical concerns, it may also open up firms to lawsuits for discrimination (O’Neil, 2016).
Legal Obligations and Case Law
Data privacy and security regulations in automated due diligence present a complex and constantly shifting landscape. The GDPR is still the world leader, with obligations that include lawful processing, data minimization, and the right to be forgotten. Due diligence companies must operate in accordance with these principles in relation to the collection of personal data, even if the data has been obtained from outside of the EU (Voigt & Von dem Bussche, 2017).
There has been some more recent case law confirming the seriousness of obligations as well. The Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in Schrems II (2020), producing a monumental ruling in regard to the challenges for data transfers when local laws around surveillance create gaps in the data protection commitments. The impact of this ruling meant significant change to the existing contractual and technical safeguards, not only for the due diligence operations that were relying on cloud computing services outside of the EU, but potentially for the data of individuals and organizations in the EU.
CCPA, HIPPA and other similar state regulations have been applied in the U.S., highlighting liability as a concern. One instance where regulators are beginning to discipline firms for errors in automated compliance systems is the 2022 settlement of a case against a fintech company that failed to properly encrypt their customer due diligence records . Similarly, some actions taken in Asia regarding Singapore’s Personal Data Protection Act (PDPA) have also hinted at data breach notification and measures to secure data proactively.
These shifts show that to be automated does not mean to be less accountable: accountability is not diminished by automation. Companies that adopt automated due diligence, on the other hand, would show a higher degree of care in tracking the flows of data, data storage, and documentation of compliance practices.
Compliance Strategies and Best Practices
To manage risks while benefiting from automation, organizations need to maintain compliance that builds privacy and security into due diligence systems.
The first principle is “privacy by design,” where compliance protections are built into the design of automated platforms and not slapped on as an afterthought (Cavoukian, 2011). This means minimizing data collection data only if absolutely necessary under the due diligence mandate and pseudonymizing as needed, as a way to minimize the risk of exposure of personal identifiers.
The second principle is layering security controls, and that means using encryption, access restrictions, and continuous monitoring. Given the cross-border nature of many due diligence processes, organizations will want to ensure compliance against data transfers, for example, Standard Contractual Clauses under GDPR.
The third principle is algorithmic accountability. Organizations will want to continuously audit their risk scoring models to identify areas for improvement to reduce unintended bias. The transparency of how the automated assessment reached a particular decision renders it fairer and more defensible against legal or political challenges (Barocas & Selbst, 2016).
Lastly, compliance must be a part of all workflows, from the beginning to the end of the value chain which might mean continual organizational or cross-functional training. Organizations will want to work closely with their legal, IT, and compliance teams on how to create an efficient yet effective workflow. Relatedly, organizations may want external assurance of compliance or certification through accredited organizations. In this way, we look at external audits or certifications (e.g., ISO/IEC 27001 for information security) to provide assurance to the organization, regulators, and other stakeholders.
Conclusion
Automated due diligence systems are the boon and bane of digital compliance. They have become integral to a globalized economy because they allow for scalable and efficient calculations of risk. But the dependence on such sensitive personal and business data represents an exploitable vulnerability that requires careful governance. The risks from reputation or litigation that come from breaches of privacy, cyber attacks, and algorithmic biases are a concern for companies, and the changing case law can also illuminate how serious these risks become if there is not regulatory compliance.
The way forward is to build in the concepts of privacy and security into the very DNA of automated due diligence processes. Firms that engage in privacy by design, rigorous security practices, and algorithmic accountability will not be penalized, but will thrive in being trusted by regulators and funders and customers. Data is the new currency of reputation and regulation, and the ability to keep private data that is automatically processable, is not simply a competitive advantage but a question of existence.
Author
Zita Agwunobi is a Legal Data Analyst, Technology and Compliance Attorney, Analyst professional with over 15 years of experience.
References
Barocas, S., & Selbst, A. D. (2016). Big data’s disparate impact. California Law Review, 104(3), 671–732. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2477899.
Cavoukian, A. (2011). Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario. https://privacy.ucsc.edu/resources/privacy-by-design—foundational-principles.pdf.
ENISA. (2021). Threat Landscape Report 2021. European Union Agency for Cybersecurity. https://www.enisa.europa.eu/publications/enisa-threat-landscape-2021.
O’Neil, C. (2016). Weapons of math destruction: How big data increases inequality and threatens democracy. Crown. https://www.researchgate.net/publication/314165204_Cathy_O’Neil_Weapons_of_Math_Destruction_How_Big_Data_Increases_Inequality_and_Threatens_Democracy_New_York_Crown_Publishers_2016_272p_Hardcover_26_ISBN_978-0553418811.
Tzanou, M. (2017). The fundamental right to data protection: Normative value in the context of counter-terrorism surveillance. Hart Publishing.
https://script-ed.org/article/the-fundamental-right-to-data-protection-normative-value-in-the-context-of-counter-terrorism-surveillance/
Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A practical guide. Springer. https://link.springer.com/book/10.1007/978-3-319-57959-7
Warren, S. D., & Brandeis, L. D. (2019). The right to privacy. Harvard Law Review, 133(7), 1934–1956. (Original work published 1890).
https://groups.csail.mit.edu/mac/classes/6.805/articles/privacy/Privacy_brand_warr2.html
Disclaimer
Comments expressed here do not reflect the opinions of Vanguard newspapers or any employee thereof.