CompliAI: Data Privacy Compliance Tool for Organizations
Ana Luísa Almeida, E. Nesibe Kayhan, Murilo Matos1
Data protection law has been changing for some time, influenced by the development of society
and technology. However, the issue is not just about adjusting to these changes.
This can be explained through key points, such as the subject of data protection, the interests
to be protected, and the regulatory concepts. From this, it becomes clear that data protection is
complex and presents new challenges that have never been faced before.2 At a deeper level, the
bigger problem isn’t just the number of laws, but that many regulations only outline the steps
of data processing. This approach still follows the old belief that legal rules can control
everything – a mindset from a time when people thought planning could solve all issues.
Compliance with data protection regulations is costly for businesses of all sizes. 3 It can,
therefore, be argued that companies are more concerned with the absolute costs associated with
stricter regulations, rather than comparing these costs to those incurred by their competitors.4
Some companies consider compliance costs to be minimal, while others emphasize the
significant expenses they face. Developing data systems where individuals must indicate their
acceptance of personal data handling can also be quite costly. For instance, one company
employs three lawyers full-time to ensure compliance with data protection regulations.5
MLB/LL.M. Candidates at Bucerius Law School, in Hamburg, Germany.
Alhers, M., Gutwirth, S., Leenes, R., & De Hert, P. (Eds.). (2020). Chapter 11: Realizing the complexity of data
protection. In Reloading data protection: Multidisciplinary insights and contemporary challenges (pp. 213-235).
Springer.
Retrieved from: https://www.jura.uni-hamburg.de/die-fakultaet/professuren/kommunikationsr/publikationen/albers-marion/albers2014-realizing-the-complexity-of-data-protection.pdf.
3
New Scientist. (2015, May 12). Data protection is complex and costly, finds obfuscation. New Scientist.
https://www.newscientist.com/article/mg22830460-700-data-protection-is-complex-and-costly-findsobfuscation/.
Ludlow, M., & McKendrick, M. (2018). Innovative technologies or invasive technologies? University of Oxford.
https://www.cs.ox.ac.uk/files/14641/Innovative%20Technologies%20or%20Invasive%20Technologies.pdf.
4
Heermann, M. (2024). Preferences and coalitions in European Union internet policy [Doctoral dissertation,
University
of
Konstanz].
University
of
Konstanz.
https://kops.unikonstanz.de/server/api/core/bitstreams/1b4ec2f6-2a9b-43df-84f6-3acb48ba5171/content.
5
One study suggests that the U.S. economy incurs a staggering 365 billion USD annually just from reading
privacy policies. The European Commission (2012b) reports that the total administrative cost of data protection
regulations is 5.3 billion Euros, with 2.9 billion Euros attributed to fragmentation within the EU. Another study
estimates that a single large company spends an average of 2.5 million Euros annually on compliance. A
significant portion of these costs stems from the fragmentation of national data protection rules both within and
1
2
Complying with data protection regulations can indeed be complex and costly. However, the
enforcement of EU data protection law known as General Data Protection Regulation (GDPR)
relies on monetary fines rather than criminal charges or other legal penalties in cases of
noncompliance. These fines are significant and should not be underestimated.
Companies that fail to comply with the GDPR not only face substantial fines but also risk
damaging their reputation. To build a solid and effective reputation management strategy,
businesses must ensure compliance with all regulatory requirements at every stage. Beyond
providing excellent customer service and actively managing reviews, companies must
demonstrate a strong commitment to regulatory accuracy and adherence to data protection
laws.6
For instance, the UK Information Commissioner’s Office (ICO) fined British Airways £20
million ($26 million) for a 2018 data breach that affected over 400,000 customers,
compromising personal and payment details. The breach occurred due to insufficient security
measures, allowing attackers to harvest customer data for two months before BA was alerted.7
Another example, the Dutch Supervisory Authority (SA) fined Uber €290 million for
improperly transferring and storing European drivers’ personal data in the U.S. without
adequate safeguards. The investigation revealed that Uber collected and transferred sensitive
driver data, including account details, location data, payment information, identity documents,
and even criminal and medical records, without using legally required transfer tools. The EU’s
Court of Justice had ruled in 2020 that Standard Contractual Clauses (SCCs) could enable data
transfers outside the EU, provided equivalent protections were ensured. However, Uber
stopped using SCCs in August 2021, leaving driver data insufficiently protected.8
outside the EU. In the UK, a report by the Ministry of Justice estimates that the proposed data protection
regulations will result in an additional annual net cost ranging from £100 million to £360 million.
Kommerskollegium. (2016). Trade and development implications of the EU General Data Protection Regulation:
A case study of the impact on the global digital economy. United Nations Conference on Trade and Development.
https://unctad.org/system/files/non-official-document/dtl_ict4d2016c01_Kommerskollegium_en.pdf.
6
GDPR EU. (n.d.). How fines from data breaches impact company reputation. Retrieved from
https://www.gdpreu.org/how-fines-from-data-breaches-impact-company-reputation/.
7
BBC News. (2020, October 16). British Airways fined £20m for data breach.
https://www.bbc.com/news/technology-54568784.
8
European Data Protection Board. (2024). Dutch SA imposes fine of 290 million euro on Uber because of
transfers of drivers’ data to the U.S. Retrieved from https://www.edpb.europa.eu/news/news/2024/dutch-saimposes-fine-290-million-euro-uber-because-transfers-drivers-data-us_en.
The Luxembourg National Commission for Data Protection (CNPD) has fined Amazon €746
million for alleged violations of data protection laws, particularly regarding how it processes
personal data for targeted advertising. Amazon denies any data breach or third-party exposure,
arguing that the decision is based on subjective and untested privacy law interpretations and
that the fine is disproportionate. The company intends to challenge the ruling.9
In May 2023, the Irish Data Protection Commission (DPC) found that Meta Ireland’s data
transfers to the U.S. failed to guarantee a level of protection equivalent to EU law. Meta Ireland
was deemed unable to rely on derogations for these transfers. As a result, the DPC ordered the
suspension of these data transfers, required Meta Ireland to bring its processing operations into
compliance by ceasing unlawful data processing in the U.S., and imposed a €1.2 billion
administrative fine for the infringement.10
To address this challenge, lawyers need to change the way they approach data protection.
Instead of just acting as gatekeepers who prevent violations. Lawyers should guide business
developers by finding legal solutions that align with business needs, rather than focusing solely
on avoiding legal risks.
In this sense, a legal technology can help automate data protection assessments. For example,
similar to how Amazon recommends items based on user behavior, an intelligent system in
legal tech could show people how data protection cases are handled according to the new
regulation. By analyzing data from previous cases and law, legal technology can also help
identify best practices and strategies used in ensuring compliance with laws and regulations.
What if there were a more affordable and accessible solution? That’s where we designed the
tool CompliAI.
Simmons & Simmons. (2024, January 22). Amazon faces record GDPR fine. Simmons & Simmons.
https://www.simmons-simmons.com/en/publications/ckrus16301do70a28ptvwqy5t/amazon-faces-record-gdprfine.
10
Data Protection Commission. (2023). Decision in the matter of Meta Platforms Ireland Limited (previously
Facebook Ireland Limited) pursuant to the GDPR. Retrieved from uploaded document:
https://www.edpb.europa.eu/system/files/2023-05/final_for_issue_ov_transfers_decision_12-05-23.pdf.
9
The idea behind it is to serve as a digital assistant that helps companies better understand and
navigate complex regulatory requirements. The key point is its main purpose: making
regulatory compliance easier and more efficient.
The goal is to automate processes that typically require significant time and human resources,
streamlining them to be faster and more effective, such as AI-driven real-time compliance
checks, cross-check tasks with current regulations, constant scan of the news in the market,
auto-updated legal database, reduces human error in compliance, and customizable for various
jurisdictions.
The tool is trained with jurisdiction-specific regulatory frameworks. For example, if
implemented in Germany, it will be educated using Germany’s data protection laws, including
relevant European Union regulations. However, it is fully customizable and can be adapted for
different jurisdictions, such as Brazil, Turkey, and other non-EU countries. With the assistance
of a local legal engineer, the tool will be regularly updated to reflect local regulations and
developments in this field for the specific region. The EU Data Privacy Regulation was
considered a foundational reference in the project’s development, as many jurisdictions regard
it as the basis for their own local laws. The answers generated by the tool are always based on
the materials used to educate it, ensuring accuracy and compliance with local laws.
The tool offers a range of functionalities designed to assist businesses in navigating legal and
compliance matters. One of its key features is the Real-Time Legal Guidance. This userfriendly chatbot allows employees to ask legal and regulatory questions and receive detailed,
creative responses. It enhances user interaction and improves the understanding of complex
legal concepts, offering immediate assistance whenever needed.
Another important feature is Automated Document Generation, which focuses on improving
efficiency. This functionality automatically generates legal and compliance documents such as
contracts and legal guidance, ensuring that businesses receive accurate documents without the
need for manual input. It helps reduce workloads and guarantees the creation of essential
documents required by the company.
The tool also provides access to Compliance News and Updates, ensuring that users remain
informed about the latest regulatory changes and market developments. For instance, if a
company faces a significant fine due to a data breach, the tool will provide detailed information
on the fine and its potential implications. To achieve this, the tool uses various methods such
as RSS feeds, web scraping, and API integrations to retrieve and process relevant information
from multiple sources. This functionality ensures that employees stay continuously updated on
important compliance matters.
The system operates by integrating both natural language processing (NLP) and rule-based
automation, with each technology serving distinct functions within the platform.
Natural Language Processing (NLP) is primarily responsible for interactive conversations,
allowing the system to understand context, capture nuances, and provide creative responses
when needed. This technology makes the system more intuitive and user-friendly, enabling
dynamic interactions similar to those with virtual assistants like Siri.
In contrast, Rule-Based Automation is built around a strict “if-then” logic, making it ideal for
tasks that require precision and consistency. For example, when generating legal documents,
the system asks a series of structured questions to ensure accuracy and compliance. This
method reduces variability, ensuring reliable and consistent results for tasks where detail and
correctness are essential. Compared to other technologies, ours offers a user-friendly approach
that moves beyond template-based solutions, providing a tailored experience that is customized
to meet the specific needs of our clients.
The tool also integrates legal databases to provide users with up-to-date regulatory materials
and relevant news. This is made possible through a combination of closed AI and open AI
models, ensuring that both confidentiality and security are maintained while staying current
with regulatory requirements. Closed AI is used for handling sensitive and proprietary
company information, such as corporate governance, contracts, and company-specific
materials, ensuring data isolation and minimizing security risks. On the other hand, Open AI is
used to retrieve and update regulatory information.
A standout feature of the tool is its real-time data protection compliance checks. This ensures
that users always have access to the most current information, significantly reducing the time
needed for research and compliance monitoring. The automated system ensures that any new
regulation or development is quickly reflected on the platform. To further enhance usability,
the system includes an intuitive, user-friendly compliance dashboard, making it easy for users
to navigate and access the information they need efficiently.
The design of the tool prioritizes ease of use, ensuring users can quickly navigate and interact
with the platform. The interface is intuitive, guiding users through each step of the process with
clarity.
The first feature, real-time legal guidance, allows users to engage with a chatbot that offers
flexibility and responsiveness. The chatbot enables users to ask questions and receive answers
that are not only creative but also fully compliant with the latest legal regulations. This ensures
that users can obtain relevant legal advice in a dynamic, interactive format.
The second feature, automated document generation, is designed for precision, with minimal
room for creativity. Users simply request a specific document, and the system generates it by
prompting a series of structured questions. The goal is to enhance efficiency while reducing
the need for manual effort. Once the chatbot collects the required information, it generates a
fully completed document in PDF format, ready for download without additional intervention.
The third feature is the compliance news and updates, which ensures that users stay informed
about the latest regulatory developments and changes in the data protection landscape. The
system provides timely updates on significant fines, new regulations, and other industry
changes that may impact compliance teams. For example, when new regulatory developments
occur in specific jurisdictions, such as Germany or EU-wide decisions, the platform will
provide real-time updates, helping professionals stay current on the most relevant information
for their jurisdiction.
A key point to emphasize is the target audience of the platform. The primary users are lawyers
and compliance departments, who will interact with the tool by submitting prompts, engaging
with the chatbot, and requesting legal documents. The system is designed to cater to different
workflows, offering flexibility for users whether they need simple conversational guidance or
a more structured document request. This dual functionality ensures that the platform can
provide both interactive and precise outputs, depending on the user’s needs.
Once a query is submitted, the platform, CompliAI, follows a structured process: it first
identifies the applicable regulations, then checks compliance requirements using integrated
legal databases, and finally provides recommendations or generates a ready-to-use contract in
PDF format. This streamlined process is designed to simplify complex tasks and provide
accurate legal and compliance outcomes.
The overarching goal of the platform is to reduce the margin of error that often accompanies
human input and to significantly enhance efficiency by automating repetitive compliance tasks.
This automation not only improves accuracy but also frees up valuable time for legal and
compliance teams, allowing them to focus on higher-level decision-making and strategy.
One of the key advantages of CompliAI is its ability to enhance resource efficiency.
Compliance typically involves time-consuming tasks such as legal document scanning, law
comparisons, and extensive legal research, especially for new clients. These tasks require
significant manpower and increase operational costs for companies. By automating these
processes, CompliAI reduces operational costs while enabling legal professionals to focus on
higher-value tasks. With real-time legal guidance and document automation, the tool eliminates
the need for manual research into regulatory updates or cross-checking compliance
requirements. This leads to more efficient workflows and better allocation of resources within
legal departments.
Another important benefit is the reduction of financial risk. CompliAI helps minimize legal
and financial risks by continuously monitoring legal developments and providing automated
compliance checks. This ensures that companies stay up to date with the latest regulatory
changes, reducing the likelihood of accidental non-compliance and reputational damage. By
staying proactive with legal updates, organizations can avoid costly consequences and maintain
compliance without constantly monitoring changes themselves.
However, one challenge associated with AI is the risk of producing inaccurate or misleading
information, which could have severe consequences in a legal context. To address this,
CompliAI is designed as a decision-support tool rather than a replacement for legal expertise.
While it provides recommendations and assists with compliance tasks, the final assessments
and decisions are always made by qualified legal professionals. This ensures that the system
supports rather than undermines the accuracy of legal processes.
Lastly, confidentiality is a critical concern in the legal industry, and CompliAI addresses this
by utilizing a closed AI system. Sensitive business information, including legal documents and
compliance reports, is kept secure within a controlled environment, minimizing the risk of
external security breaches. The tool also offers an offline mode to ensure that confidential data
is not exposed to the internet. Additionally, user activity tracking adds another layer of security
by monitoring access and interactions within the system, further safeguarding sensitive
information.
CompliAI aims to become a comprehensive legal compliance solution, extending its
capabilities beyond the current focus on data protection, aiming to cover areas such as labor
law, tax law, and corporate governance. This will allow the platform to serve as a
comprehensive regulatory compliance assistant, addressing a wider range of legal needs.
In line with these developments, international expansion is a key objective. Currently,
CompliAI integrates with EU legislation, but there are plans to integrate jurisdiction-specific
compliance modules for other regions. This will enable businesses to operate across multiple
legal environments, ensuring compliance with diverse regulatory frameworks worldwide.
To enhance its functionality, CompliAI will incorporate compliance risk assessment tools and
AI-driven predictive analytics, providing real-time risk monitoring and proactive breach alerts.
It also plans to deepen integration with corporate legal management systems to streamline
compliance processes.
User experience remains a top priority in the development of CompliAI. The platform will
continue to improve its natural language processing capabilities, making interactions with the
chatbot more intuitive and user-friendly. As the landscape of cybersecurity laws, AI
regulations, and digital governance frameworks evolves, CompliAI will ensure that its database
is continually updated to provide users with the most current compliance information, keeping
businesses ahead of regulatory changes and challenges.