A major milestone in data privacy regulation, the European Union General Data Protection Regulation (GDPR) will become effective on 25th May 2018. Compliance with this regulation is fast approaching and has significant implications not just in the EU, but also for any enterprise and multinational organisations conducting business with EU member states.
Reshaping Data Privacy to Drive Consistency in the Internet Era
With the explosive growth of the Internet, the creation, collection, use, and retention of personal data has become ubiquitous in today’s world of cloud and social media. GDPR aims to update data privacy standards to address today’s technology while remaining true to the set of original privacy principles established by the Organisation for Economic Co-operation and Development (OECD) in 1980. Most importantly, GDPR is a regulation that will become enforceable in all EU member states on 25th May 2018.
Why Companies Should Care about GDPR
GDPR applies not only to organisations based in the EU, but also to all companies processing and storing the personal data of EU citizens, regardless of where the company is located or where the data processing occurs. Furthermore, GDPR may not apply to your company directly, but it may apply to your customers. Personal data includes any information that can be used to directly or indirectly identify the person, including name, email address, photos, posts on social media, medical information or even a computer IP address.
Under GDPR, the penalties for non-compliance are significant. Organisations can be fined up to 4% of annual sales or 20 million Euro, whichever is greater.
Preparing Your Organisation to Comply with GDPR
GDPR includes several requirements that benefit consumers and mandate increased control and transparency. The GDPR mandates the type of personal information that can be collected, how personal information needs to be stored and protected, and what organisations must do in the event of a data breach. The GDPR also places additional security requirements on organisations. Key principles include:
- Transparent & lawful personal data collection – With a focus on transparency, GDPR requires privacy notices to be in a clear and easy to read format, and include certain mandatory information. Where consent is the lawful basis for processing personal data, it must be specific, informed, unambiguous, and freely given by a statement or clear, affirmative action.
- Limited storage/retention – Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- Protecting personal data – Personal data must be handled in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Notification of data breaches – Data breaches which may pose a risk for individuals must be notified to the European Data Protection Authorities (DPA) within 72 hours and to the affected individuals without undue delay.
Setting a High Bar for Digital Transaction Management
Many organisations begin their digital transformation journey by digitising workflows with a digital transaction management (DTM) platform and eSignature solution. Because corporate documents often contain sensitive information and personal data, DocuSign believes it is important to set a high bar for data privacy when making the transition to digital.
One of DocuSign’s top priorities is the privacy and security of our customers’ documents. We are actively following the European Union evolution to the GDPR. DocuSign currently meets or exceeds UK, European and international security standards, including strict security policies and practices that set the standard for world-class information security in digital transactions and electronic signatures.
DocuSign is ISO 27001:2013 certified as an ISMS, the highest level of global information security assurance available today. DocuSign also complies with eIDAS (N°910/2014) and specialised industry regulations, such as HIPAA, 21 CFR Part 11, Annex 11, SAFE Biopharma and Sarbanes-Oxley.
By Reggie Davis, General Counsel, DocuSign
Learn more about the basics of GDPR and how DocuSign can enhance your company’s ability to comply.