On a mission to tame data

Akber Datoo has a striking analogy for the haphazard way certain financial services companies store vital legal documents. It is, he says, like buying expensive mahogany shelves, chucking all your books at them, then blaming the shelves when the books land anywhere or fall on the floor.

Rattling off the types of contracts and agreements that oil the wheels of the financial sector, Mr Datoo reveals his frustrations at companies where thousands of legal documents are drawn up by in-house legal teams, filed and promptly forgotten.

Yet these are documents that can save businesses from huge losses — or expose them to enormous risks.

He describes how a leading international investment bank called in his London-based company, D2 Legal Technology, to analyse certain types of derivatives in an effort to optimise its resources — such as collateral, capital and liquidity — as well as to understand better the issues of compliance and risk management.

D2 Legal’s role is to advise in-house legal teams on how to manage their legal data so they have a better overview of the relevant terms and requirements. “A lot of firms do not really capture enough detail from their legal agreement portfolios . . . their rights and obligations,” he says.

By allying a knowledge of the law to expertise in data and storage systems, D2 Legal says it can unlock significant value for a company. Its clients include global banks, such as Wells Fargo, Credit Suisse and Barclays.

In his 2016 book The Fall of the Priests and the Rise of the Lawyers, Philip Wood QC wrote: “The excessive volume of the law is a major defect. The volume of law is now out of control internationally and is unmanageable.”

It is this challenge that the growing “lawtech” sector is seeking to address: how to collate, reorder and make sense of the sheer volume of data that are relevant to areas such as business risk, litigation, e-discovery, and compliance.

With regulators everywhere increasingly inclined to show their teeth and new rules such as the EU’s General Data Protection Regulation (GDPR) on the horizon, both in-house and private practice lawyers are turning to technology to keep on top of such “excessive volume”.

Matthew Galvin, global legal and compliance director at international drinks company AB InBev, had the task of integrating its compliance systems with those of SABMiller when the two completed their $100bn merger in 2016 — a task dubbed Project Lantern.

By developing a data aggregation and analytics program capable of handling vast quantities of data from two multinationals combined into one, the company’s legal team was able to use algorithms to spot risky transactions more quickly and more cheaply than by having lawyers and accountants scour huge amounts of documentation.

“Instead of having a law firm do a post-acquisition analysis, we are planning to use the system to risk-score every single transaction,” says Mr Galvin.

Risk scores, for instance, might indicate an inappropriate payment — a duplicated transaction or one involving a government organisation or official, for example. “It is one thing to start analysing the data, but if you don’t have a system that tells you what to prioritise, the analyst doesn’t know where to put their efforts,” Mr Galvin says.

At the same time, Project Lantern uses regression analysis and machine learning to improve its own performance. “People categorise data in different ways, and that can be a handicap. So we are also risk-scoring the data for ‘data pollution’,” Mr Galvin says.

The next target is to have a program that will predict fraudulent or corrupt payments, though he says it is likely that will take another year to achieve.

The potential savings are obvious: not only would the company not have to pay teams of forensic accountants or investigators, but it would be able to improve its compliance practices and thus protect itself from fraud, and the financial and reputational damage that would ensue.

It doesn’t matter if you are a hospital or a grocery store, the moment you enter a human being’s information into your system, bang — you have to apply data protection legislation

When it comes to the compliance pitfalls of storing and processing large quantities of data, perhaps the most important issue for businesses as a whole is GDPR, due to come into force in May 2018. The GDPR regime will, for the first time in decades, overhaul the rules over what companies can and cannot do with personal data. The punishments for transgressions are potentially severe: the maximum fine for failing to comply with the regulation is 4 per cent of the previous year’s global turnover, or €20m, whichever is greater.

Companies and state organisations will have to set out clearly what information they hold and how they intend to use it, and gain a clear and unambiguous indication of consent from the customer for the use of their data.

The definition of personal data will be significantly broadened to include online identifiers and anything that reveals someone’s location, while “data subjects” will have an enhanced “right to be forgotten”. This is the ability to request an organisation to delete or remove their personal data unless there is a compelling reason not to do so, such as freedom of expression or a public interest defence. “Data privacy is applicable to any organisation — small, medium or a huge multinational,” says Patrick Van Eecke, global co-chair of data protection and privacy at DLA Piper. “It doesn’t matter if you are a hospital, a media company, the bakery or a grocery store, the moment you enter a human being’s information into your system, bang — you have to apply data protection legislation. That means many organisations are going to lag behind [in their preparations] because . . . compliance is not their core business.”

To help businesses with GDPR, DLA Piper has devised several tools, from a “privacy scorebox”, a self-assessment tool that gives a weighting to a client’s answers on their level of readiness, up to advanced analysis of clients’ “GDPR maturity”. It also has a GDPR app — in fact, there are a few on the market, including Hogan Lovells’ GDPRnow.

“This is not just a matter of quickly changing the privacy policy on your website,” says Mr Van Eecke. “GDPR has an impact on your data management systems, how you collect data, what you do with it, how long you store it, how you prove you have the consent from end users, how you anonymise data. It has a real technical impact.”