On May 25 2018, the General Data Protection Regulation (GDPR) became the main legal framework for data protection in the EU. The new laws apply to any company offering goods or services to EU citizens and managing personal data. So regardless of size, location, or industry, companies need to get all the checks and balances in place to ensure they’re not caught out. With fines of up to €20 million or 4% of annual revenue (whichever is larger), the consequences of not being compliant are severe.
Although there are a number of different specifications that come under the GDPR umbrella, one of the biggest challenges for companies is the requirement that individuals must give specific, clear, documented consent for their personal data to be used – and companies must have appropriate measures in place to capture, record and manage this.
Data controllers are also required to have strict contracts in place with all third party companies processing data on their behalf.
Although these requirements set a high standard for GDPR consent, by complying, organisations will build trust, enhance brand and reputation, and avoid hefty fines. While it might seem like a daunting task to constantly remain GDPR compliant there’s a lot of technology that can be used to ease the process, including e-signature technology
Capturing consent with e-signatures
With GDPR in force, all data has to be protected, regardless of whether it’s high-risk, such as personal financial information or medical records, or lower risk, such as a name. Capturing consent from an individual so you can hold and use their data is a key part of the process.
E-signature technology can be used by organisations to conveniently capture consent, comply with the active opt-in requirement, and demonstrate precise details of the consent. And best of all, consent can be captured from any device. With people using a variety of devices to carry out tasks, it’s important that the technology companies use to capture consent can accommodate.
Electronic signatures can also support different signature methods, including click-to-sign and hand-scripting signatures on a touchscreen device, which optimises the user experience.
Behind the scenes, e-signature technology also captures a comprehensive audit trail which records exactly what the signer consented to, when and how they signed. This is invaluable for the GDPR, as it means businesses can demonstrate compliance after the fact, providing direct visibility which will resonate well with legal and compliance teams.
For the GDPR’s unbundled and granular consent requirements, electronic signature solutions allows users to separate the signings of the documents, which is useful if you need to obtain consent in combination with other documents like terms and conditions. Consent can also be captured separately within documents for the granular requirement. If an organisation changes data processors, you can easily make a request to renew the consent through e-signature technology.
The GDPR Contract between Data Controller and Data Processors
If a third party is engaged to process personal data on behalf of a data controller, the GDPR requires a contract between the two. These should contain specific terms to ensure both parties understand their obligations, responsibilities and liabilities in achieving compliance, and being able to demonstrate this. Contracts also help to increase the confidence of data subjects in how their personal data is being handled.
Contracts must set out how long the data will be processed, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the processor. Features such as bulk sending capabilities mean that otherwise lengthy processes such as capturing multiple partners’ consent are automated. With e-signature technology already being widely used to sign customer and partner contracts across a variety of industries, it can be an effective solution for signing data controller and processor contracts.
One of the cornerstones of the GDPR compliance is having the appropriate measures in place to capture, record, and manage customer consent. Electronic signature solutions provide a means to comply with both the consent requirements and the requirement for signed contracts with data processors. As a by-product of GDPR compliance, companies may also realise that e-signatures can be used across the organisation. So choosing an e-signature solution will not only ensure a company will remain GDPR compliant both now and in the future, but it will also allow a company to use the technology elsewhere in the business, allowing them to scale and grow.
By Dirk Denayer, Business Solutions Manager at OneSpan
The largest data protection, privacy and security event of 2020, now available on-demand!
Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.
You can access the content from all four days, by registering for access to our PrivSec Global platform below.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.