What is the GDPR?
Approved and adopted by the EU Parliament in April 2016, the General Data Protection Regulation (GDPR) represents the most important data protection regulation change in 20 years. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to update Europe’s relationship with data privacy by harmonising the various laws surrounding it, protecting and empowering all EU citizens’ right to it, and reshaping the way organisations across the region approach it.
Once the GDPR comes into effect on 25 May 2018, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location.
About data privacy in Europe
With the explosive growth of the Internet, including social media and the cloud, the creation and processing of personal data has become ubiquitous. The GDPR aims to update data privacy standards to address these new technologies, while remaining true to original privacy principles established in 1980. Most importantly, unlike Europe’s Data Protection Directive 95/46/EC, it does not require any enabling legislation to be passed by government, meaning it will be in force across the EU after 25 May 2018.
Key changes in the GDPR
The GDPR includes several requirements that benefit consumers, mandate increased control and transparency, and adds robust accountability requirements as well as significant fines for violations – up to 4% of global revenues or 20 million Euro, whichever is greater. Key differences in this data privacy regulation include stronger conditions for consent and obligations for data processors as well as data controllers, with obligatory contractual terms between the two. The GDPR also requires organisations to include data protection in the initial design of systems, a concept known as ‘privacy by design’.
How is DocuSign preparing for the GDPR?
As an organisation focused on earning our customers’ trust and handling their documents with care, DocuSign has developed a strong compliance culture and robust security safeguards, which are reflected in its ISO 27001 certification and its approved Binding Corporate Rules (BCR). DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is currently reviewing its data protection program, making adjustments to ensure compliance with the General Data Protection Regulation (GDPR) by May 25, 2018.
Binding Corporate Rules
BCR is one of three approaches to ensure adequate privacy protection for personal data exported from the EU to countries like the United States. The other two are standard contractual clauses and the EU-US Privacy Shield. Without one of these measures in place, exports of personal data from the EU to the United States may not be lawful. BCR is regarded by some as the gold standard for data transfers, because it entails regulator review of an organisation’s data protection practices and is explicitly mentioned in the GDPR.
DocuSign has completed the approval process from the EU Data Protection Authorities (DPA) for Binding Corporate Rules (BCRs) both as a data processor and as a data controller. BCRs are global, company-wide privacy policies that ensure personal data is granted a uniform level of protection and security wherever it travels within a group of companies. These approved BCRs demonstrate DocuSign’s strong commitment to data protection and robust internal data protection practices.
How can DocuSign enhance my company's ability to meet GDPR requirements?
In light of the GDPR’s new requirements, many organisations should think seriously about their data protection posture, the applicability of the GDPR, and the steps they may need to take to ensure compliance. DocuSign eSignature solution can benefit companies that are developing compliant processes for the GDPR, including obtaining and recording consent, refreshing (or updating or amending) and entering into contracts between data controllers and data processors (with the GDPR-required terms).
The GDPR clarifies strict requirements for obtaining consent to process an individual’s personal data. Consent must be specific, informed, unambiguous, freely given, and documented. DocuSign eSignatures can enhance an organisation’s ability to check these boxes, by making it easier to obtain affirmative consent in real-time at the point of data collection. eSignature allows companies to demonstrate consent with a court-admissible tamper-evident audit trail.
Contracts Between Data Controllers and Data Processors
The GDPR sets forth specific requirements for contracts between data controllers and the suppliers they use to process the personal data they control, known as data processors. DocuSign eSignatures can greatly simplify the process of updating contracts to contain the terms GDPR requires, by streamlining the contract workflows and accelerating the procurement process. eSignature gives senders complete visibility of where each document is and who has yet to sign, with automated reminders to help speed the process along.
DocuSign should be a core part of your GDPR solution. With our trusted platform, you can:
- Collect consent from new and existing customers in real-time at the point of notification or on-boarding, enabling compliance through auditing capabilities without sacrificing a simple, user-friendly experience.
- Procure or re-procure suppliers who process personal data on your behalf.