Reggie Davis, DocuSign’s General Counsel, helps drive acceptance and adoption of electronic signatures and digital transactions around the globe. We sat down with Reggie to get his thoughts on the upcoming General Data Protection Regulation (GDPR), DocuSign’s approach to it, and his insights on how DocuSign can enhance its customers’ ability to comply.
Q: So, what is the GDPR?
A: The General Data Protection Regulation (“GDPR”) is a European law that aims to strengthen data protection for individuals within the EU, and to make data privacy rules as uniform as possible for businesses throughout the EU.
Coming into effect on 25 May 2018, GDPR requires organisations that collect and use personal data (i.e. process personal data) to be highly accountable (and imposes significant fines for non-compliance). It also gives individuals greater say over what companies can do with the data that has been collected on them.
Q: What is DocuSign’s approach to the GDPR?
A: As both a data controller and processor, one of DocuSign’s top priorities is the privacy and security of our customers’ documents, and we are actively following the EU’s transition to the GDPR. We have already made strides in this area, many which are applicable to the GDPR.
DocuSign has drafted Binding Corporate Rules (BCRs), including privacy codes, and submitted them with supporting documentation for approval by supervisory authorities in Europe. We will continue to agree to EU-approved Controller to Processor Model Clause Agreements with customers to ensure adequate protections for the privacy of EU data subjects and compliance with the law.
DocuSign also maintains certifications for ISO 27001 and PCI Data Security Standard, as well as maintaining controls sufficient to meet the objectives of SOC1 and SOC2 or equivalent standards and is assessed against those standards annually.
All ‘eDocument Data’ created by our customers when using the DocuSign service is automatically encrypted with an AES 256-bit, or equivalent, encryption key. Additionally, eDocuments processed by DocuSign for customers in the EEA can be stored in European data centres.
Q: What are Binding Corporate Rules (BCRs)?
A: BCRs define a corporation’s global policy around data protection – and they specifically allow multinationals to make intra-organisational transfers of personal data across borders in compliance with EU Data Protection Law.
BCRs are submitted to data protection authorities in the EU who review, edit and ultimately approve them – after which, the personal data transferred to and within the corporate structure is protected. BCRs are specifically referenced in the GDPR and are widely considered to be the “gold standard” for data protection.
Q: What is the difference between BCRs and the GDPR?
A: The GDPR is the broader privacy regulation that will go into effect on 25 May 2018 – and BCRs are one of the approved mechanisms for transferring personal data under the GDPR.
Q: What is DocuSign doing to prepare for GDPR compliance?
A: As an organisation focused on trust and careful handling of customer documents, DocuSign has developed a strong compliance culture and robust security safeguards that are reflected in its ISO 27001 certification. DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is reviewing its data protection program and making adjustments to ensure compliance with the GDPR by 25 May 2018.
Q: Is DocuSign using its own technology to support its GDPR compliance efforts?
A: DocuSign commonly employs its own technology to support internal processes, such as policy creation, review and approval. DocuSign Signature is well-suited to securing consent in accordance with the GDPR, and we will look closely at deploying it for use cases where DocuSign relies on consent as a lawful basis for processing personal data.
DocuSign Signature is also well-suited to procurement and executing contracts with service providers, including data processors. We will deploy it as a part of our efforts to ensure that agreements with data processors contain the data protection terms required by GDPR.
Q: Can DocuSign help customers comply with the GDPR?
A: DocuSign can help customers in a few ways:
- If customers rely on consent as a lawful basis for processing personal data, then DocuSign Signature can help those customers collect and document consent.
- If customers want to increase the transparency of their processing, DocuSign Signature can also help customers deliver and document receipt of data processing notices.
- If customers need to procure or re-procure suppliers (i.e. data processors) with additional contractual terms required by the GDPR, then DocuSign is an ideal tool.
To learn more about the GDPR and how DocuSign is preparing and how eSignature’s can enhance compliance, visit the GDPR Basics page.