Investigating Organizational Factors Associated with GDPR Noncompliance using Privacy Policies: A Machine Learning Approach

Abstract

The General Data Protection Regulation (GDPR) came into effect in May 2018 to ensure and safeguard data subjects’ rights. This enactment profoundly shaped, among other things, data processing organizations’ privacy policies to comply with the GDPR’s transparency requirements—for compliance with the GDPR is compulsory. Nevertheless, despite the potential goodwill to change, complying with the GDPR can be challenging for some organizations, e.g., small and medium-sized enterprises, due to, for example, a lack of resources. This study explores what factors may correlate with GDPR-compliance practices in organizations by analyzing the corresponding privacy policies. The contribution of this study is twofold. First, we have devised a classification model using machine learning (ML) and natural language processing (NLP) techniques to assess the GDPR-compliance practices promised in privacy policies regarding the GDPR core privacy policy requirement of Purpose. Using this model, we have collected a data set of 8 614 organizations active in the European Union (EU) containing organizational information and GDPR-compliance promises derived from organizations’ privacy policies, as made publicly available. Our second contribution is an analysis of the resulting classification to identify organizational factors related to the disclosure of the GDPR core privacy policy requirement of Purpose in organizations’ privacy policies.