What is the GDPR?
Approved and adopted by the EU Parliament in April 2016, the General Data Protection Regulation (GDPR) represents the most important data protection regulation change in 20 years. The GDPR replaces the Data Protection Directive 95/46/EC and was designed to update Europe’s relationship with data privacy by harmonising the various laws surrounding it, protecting and empowering all EU citizens’ right to it, and reshaping the way organisations across the region approach it.
Once the GDPR comes into effect on 25 May 2018, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location.
The Evolution of Data Privacy
With the explosive growth of the Internet, including social media and the cloud, the creation and processing of personal data has become ubiquitous. The GDPR aims to update data privacy standards to address these new technologies, while remaining true to original privacy principles established in 1980. Most importantly, unlike Europe’s Data Protection Directive 95/46/EC, it does not require any enabling legislation to be passed by government, meaning it will be in force across the EU after 25 May 2018. From this date onward all companies processing and holding the personal data of individuals residing in the EU must comply with the GDPR, regardless of company location.
Key changes in the GDPR
The GDPR includes several requirements that benefit consumers, mandate increased control and transparency, and adds robust accountability requirements as well as significant fines for violations – up to 4% of global revenues or 20 million Euro, whichever is greater. Key differences in this data privacy regulation include stronger conditions for consent and obligations for data processors as well as data controllers, with obligatory contractual terms between the two. The GDPR also requires organisations to include data protection in the initial design of systems, a concept known as ‘privacy by design’.
How is DocuSign preparing for the GDPR?
As an organisation focused on earning our customers’ trust and handling their documents with care, DocuSign has developed a strong compliance culture and robust security safeguards, which are reflected in its ISO 27001 certification and its approved Binding Corporate Rules (BCR). DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is currently reviewing its data protection program, making adjustments to ensure compliance with the General Data Protection Regulation (GDPR) by May 25, 2018.
Binding Corporate Rules (BCR)
BCR is one of three approaches to ensure adequate privacy protection for personal data exported from the EU to countries like the United States. The other two are standard contractual clauses and the EU-US Privacy Shield. Without one of these measures in place, exports of personal data from the EU to the United States may not be lawful. BCR is regarded by some as the gold standard for data transfers, because it entails regulator review of an organisation’s data protection practices and is explicitly mentioned in the GDPR.
DocuSign has completed the approval process from the EU Data Protection Authorities (DPA) for Binding Corporate Rules (BCRs) both as a data processor and as a data controller. BCRs are global, company-wide privacy policies that ensure personal data is granted a uniform level of protection and security wherever it travels within a group of companies. These approved BCRs demonstrate DocuSign’s strong commitment to data protection and robust internal data protection practices.
How can DocuSign enhance my company's ability to meet GDPR requirements?
In light of the GDPR’s new requirements, many organisations should think seriously about their data protection posture, the applicability of the GDPR, and the steps they may need to take to ensure compliance.
Key Use Cases
With DocuSign, your organisation can automate key workflows related to GDPR requirements.
Transparency and Consent: Gather consent at the point of data collection by embedding secure, low complexity, no code Powerforms within your application or use bulk send to gather individual consent via email. Demonstrate consent with a court-admissible tamper-evident audit trail. Learn more about how DocuSign can help streamline the process of obtaining consent.
Streamlined Procurement: DocuSign eSignatures can greatly simplify the process of updating contracts to contain GDPR-required terms, by streamlining the contract workflows and accelerating the procurement process. eSignature gives senders complete visibility of where each document is and who has yet to sign, with automated reminders to help speed the process along.
Subject Access Requests: DocuSign Embedded Signing and Powerforms streamline the collection of subject access requests. DocuSign can also help automate the process for tracking, authenticating, documenting, responding, and securely delivering content for subject access requests.
Privacy Impact Assessments: Manage internal workflows across the business including operations, IT, and compliance teams with templates to track proposed system changes that could impact privacy. DocuSign offers a built-in audit trail to document these GDPR processes.
Breach Notification: Be prepared for major breaches as well as smaller scope incidents where personal data is compromised with an automated workflow and template that lets each team know what needs to be done to respond. DocuSign can help manage and document internal efforts to mitigate privacy impacts.
To learn more, watch this video.