DocuSign’s Structured Commitment to GDPR

GDPR General Data Protection Regulation

We previously highlighted the importance of the General Data Protection Regulation (GDPR) in our blog: Compliance Deadline Fast Approaching for EU General Data Protection Regulation. Like many of our customers, DocuSign is preparing itself to comply with the GDPR requirements and aligning business practices to potential GDPR use cases.

 

Building on our Strong Commitment to Data Privacy and Security

GDPR readiness is a daunting task, but DocuSign began preparing for the GDPR by leveraging a strong history of controls and safeguards evidenced by its recognised certifications. DocuSign is ISO 27001:2013 certified as an ISMS, the highest level of global information security assurance available today. DocuSign also complies with eIDAS (N°910/2014) and specialised industry regulations, such as HIPAA, 21 CFR Part 11, Annex 11, SAFE Biopharma and Sarbanes-Oxley. Building on the foundation these certifications provide, and aided by the discipline necessary to obtain and maintain this wide range of robust certifications, DocuSign is positioned well to meet the controls that will be required by the GDPR.

 

Analysing the Gaps

To build upon DocuSign’s existing certifications, DocuSign sought guidance from well-established privacy and legal professionals who helped interpret and apply the GDPR requirements to DocuSign. This expert team conducted a gap-analysis between DocuSign’s existing compliance-driven common control framework, which includes controls required by DocuSign’s pending Binding Corporate Rules application with the Irish Data Protection Commissioner, and the new requirements of the GDPR. DocuSign completed this gap-analysis to determine the tasks that it needed to incorporate across the DocuSign business and systems.

 

Categorising Privacy-Related Tasks

The missing GDPR tasks that were identified were then distilled down further using recognised privacy tools that also assist with tracking the completion of such privacy-related tasks. This exercise allowed DocuSign to create a more structured and objectively unifiable approach to implementing and managing each new GDPR task by categorising them into more understandable bite-sized chunks for the applicable DocuSign departments to digest.

Each category consists of multiple tasks. In some cases, each task provides sufficient context as to how it relates to the data privacy principles of the GDPR. In DocuSign’s experience, however, organising the tasks into specific categories, such as “maintain a privacy governance structure” helps provide the applicable departments better insight into the objective of those tasks.

By way of example:

Category 1: Maintain a privacy governance structure

Tasks:

  • Engage senior management in data privacy
  • Assign responsibility for data privacy to an individual representative (s)
  • Align policies to demonstrate our process and our commitment to our customers and users
  • Train each of our DocuSign employees on all privacy and security expectations

Category 2: Embed privacy by design

Category 3: Manage third-party risk

Creating a GDPR Leadership Team

In parallel to the work being done to identify the missing GDPR tasks, DocuSign formalised its GDPR leadership team with corresponding delegates to attack the tasks that must be completed to reach GDPR readiness. Moreover, the GDPR team is positioned to drive visibility and transparency to the company’s Executive Team and Board of Directors. Through its GDPR leadership team, DocuSign data protection and GDPR readiness is active and underway with visibility throughout the company.

The implementation of such compliance driven programs is not new to DocuSign and like its other certifications, DocuSign remains committed to approaching this initiative diligently with the utmost focus on securing and maintaining customer trust.

By Reggie Davis, General Counsel

Read our eBook

Four Strategies for Data Privacy Law Readiness
Author
Mangesh Bhandarkar
GVP, Product Management
Published
Related Topics