Recruitment Company EclectiC Enrols DocuSign into its GDPR Compliance Strategy
The “Customer Spotlight” series shines a light on the customers that are accelerating their business processes with DocuSign’s electronic signature platform.
Founded as an executive search company in 1992, EclectiC has become an international staffing company, focusing largely on senior IT and business professionals for project assignments and interim management roles.
Director of Operations and HR Stephanie Hain talked to us about how EclectiC is using DocuSign to enhance the company’s effort to comply with the GDPR ahead of the May 25th enforceability date.
Stephanie, can you provide an overview of EclectiC?
EclectiC International Consulting has been in the market for 25 years now. We provide IT staffing to corporate clients that are typically based in the Netherlands, with an international decision-making centre for IT hiring.
We have 180 consultants in the market, including our own and independent consultants too, which we can hire for clients’ projects. That means we have many contracts, assignment confirmations, NDAs and user allowances that need to be signed. Therefore, we handled a lot of paperwork before working with DocuSign. We’ve been a DocuSign customer for about four years now.
How does EclectiC approach data privacy and security?
For us, it has always been a very important topic as we handle personal data. So, when the topic of data privacy and the GDPR came up a year or two ago, we thought about how we should address the regulatory objectives. It’s not just about how we gather data, but also how we share data with our clients. We, of course, do this with their permission, but we have to keep them updated.
Looking at EclectiC’s GDPR compliance story, we had to find a practical approach. I conducted an analysis of the business’ data storage and flows, including where the data goes and who is aware of that. I have developed procedures in case there is a data leak, or a hosting partner does not have the right security, or if a laptop goes missing, for example. We checked with all of our suppliers that we share employees’ data with and any third party we are working with to check if they are compliant with the GDPR.
The last bit we needed to take care of was the data transfer, which typically occurs when we introduce candidate CVs to our clients. We considered encrypted software and then I realised we already have the solution in place. We have DocuSign. The data is encrypted and safe and stored in a European data centre. Rather than receiving an email with an attachment, recipients receive a link to sign a document, and we can make sure it can’t be printed or rerouted.
In order to make sure everyone is aware of this, we created a cover letter to accompany CVs so that the recipient signs, confirming that it contains sensitive data that needs to be treated in compliance with the GDPR.
Are you seeing the GDPR as an opportunity to reconnect with the people you serve, to be transparent and build trust?
You need to make the story positive. It is a headache as you have to do a lot, and the biggest problem people face is knowing where to start; there is no given structure that you can just adapt. You have to start from scratch.
But on the plus side, you have a topic to talk about with the people you’re approaching. You can ask if they are aware of the company having their data and present yourself as a serious party. In our industry, data is crucial. We have a lot of players who all seem to do the same, but you can differentiate yourselves. This is an opportunity to build a reputation as a serious player and to make sure you do your best to protect personal data.
Are you working with internal teams to address compliance?
We don’t have a formal ‘GDPR team’, but rather a group consisting of the IT manager, the owner of the company and myself. We’ve formalised the process and documented it. I researched the regulation via reports and webinars specific to our industry and began the documentation. While doing that, I recognised the gaps we had and how to address them.
As you’re evaluating the vendors you currently work with and will work with in the future, what’s important to you and EclectiC?
For us, it’s important that vendors take a serious approach to data privacy. We want to make sure that data is protected. It’s unlikely we’ll be getting audited on the 26th May, but if we do, we will be able to demonstrate that the company is doing its best to protect the data it holds.
Are there any specific DocuSign features that you're utilising to demonstrate compliance?
The Certificate of Completion is very important to us in providing an audit trail. In our case, this will include a cover letter that has been digitally signed by our data subjects to show that they understand how EclectiC will handle their data in line with the GDPR regulation.
What advice would you give to anyone looking to implement digital tools to become GDPR-compliant?
First of all, review the tools you have. We were evaluating complex software solutions, when in fact we had the solution already. There are very simple solutions out there without the need to implement expensive and complex solutions.
What are the next steps for EclectiC as we approach the deadline?
We need to finalise our policies and documentation and ensure our partners and suppliers have GDPR policies in place. We will also be running an internal workshop to make everyone aware of the regulation and the work we’ve done to be compliant, and show what the workflows will be in the future using DocuSign.