GDPR: eSignature


About AssureSign, eSignature Security, News & Updates

If you’re in the business of handling consumer data, you’ve likely heard about regulatory changes on the horizon.

Many businesses are eager to understand how the General Data Protection Regulation (GDPR) in the European Union (EU) will propel the need for changes (1) within their own operations and (2) how companies they do business with, like AssureSign, aligns with the impending regulation.

In this post, we’ll provide:

  • an outline of the GDPR and its intercontinental reach,

  • how AssureSign can help businesses meet its requirements, and

  • additional resources for more information

 

Did you know that most  U.S. businesses will be impacted by the GDPR? If you didn’t, you’re not alone…

75 percent of U.S. companies falsely  assume the GDPR does not apply to them—a troubling statistic considering the EU had no reservations recently fining the search engine powerhouse, Google $2.73 billion for violating its current data regulations (which are far less stringent than the GDPR’s provisions—FYI).

Speaking of Google, you may be tempted to think that large enterprises conducting business in multiple countries are the only ones need worry about the impending regulation. Unfortunately, it’s this very logic that landed 75% of U.S. businesses on the wrong side of this assumption.

We at AssureSign encourage you to use this post to help determine if you will be affected by the impending legislation and what you need to do to prepare before it becomes law.

Though, before we delve into specifics, let’s review some GDPR basics 

 

General Data Protection Regulation (GDPR) Defined.

For those that haven’t heard, the GDPR is impending legislation in the EU that requires major changes on behalf of how organizations process the personal data of its citizens. 

The regulation in its 99 articles outlines the rights and privileges afforded to EU citizens regarding their personal information and defines how organizations—both in the EU and abroad—must approach data privacy when processing it.

Why the Change?

The GDPR replaces the EU’s previous Protection Directive 95/46/EC adopted in 1995. Its purpose is to modify or enhance the dated legislation’s two decade-old provisions, while introducing new ones as necessary in what’s now a very different cyber landscape.

Referred to by many as the most profound change in data protection regulation in 20+ years, GDPR aims to harmonize data laws across the EU, removing ambiguous regulatory differences among its member states.

Is the GDPR Already in Affect?

No… but, soon.

After four years of debate among its member states, EU’s Parliament adopted the legislation in April 2016. However, Parliament included a grace period of just beyond two years before the regulations would come into effect.

Effective Date

Businesses will be subject to penalty if failing to adhere to the GDPR on or after May 25, 2018 

The GDPR’s Scope

Prior to the new regulations, most of the Union’s data protection laws were individually established by each member state through “territorial ambiguity.” Therefore, laws and regulatory standards often varied among the states—much like state laws vary within the U.S. 

The GDPR is different from prior legislation in that it not only applies to all states within the EU, but also to any organization processing or otherwise handling an EU citizen’s data.

 

So, what does this mean for organizations in the U.S.?

 

Does Your Organization Have to Comply with the GDPR?

Many businesses believe only multinational corporations doing business oversees need to entertain the prospect of the GDPR.

Not Exactly.

The GDPR is written in terms that (purposely) widen its scope to include a vast majority of the globe’s commerce, regardless of a business’s country of origin or current location.

Earlier, we mentioned that 75 percent of U.S. companies falsely assume they need not adhere to the GDPR’s standards.

Join the remaining 25 percent of informed businesses by understanding the primary elements of the GDPR and how they may affect your organization…

 

“Personal Data”

The GDPR applies to an organization when any EU citizen’s “personal data” is being handled or otherwise processed.

According to EUGDPR.org, personal data is defined within the legislation as: “Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

Do you have a website? Of course you do.

Assuming it’s accessible to EU citizens, your organization is likely handling the computer IP address and perhaps more of the aforementioned “personal data.” This is merely one of multiple caveats that illustrate how most U.S. companies fall under the GDPR’s jurisdiction. 

 

“Consent”

The new regulation modifies the way businesses must obtain consent to leverage EU citizen data.

Essentially, the goal is to eliminate unnecessarily lengthy or illegible jargon from terms & conditions regarding data use, allowing a citizen to fully understand how their information will be used by an organization before consenting.

The EU deciphers what they refer to as “explicit” and “unambiguous” consent: “Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.

Click here for more information on the differences between the two types of consent.

 

Controller” and “Processor”

The GDPR segregates organizations that handle any sort of data (nearly 100%) into two categories:

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

Consider this example:

A sales representative at your organization stores the name, telephone number, and email address of a prospect into your customer relationship manager (CRM), Microsoft’s Dynamics 365.

In this example, your organization assumes the role of a “controller,” as you initially collected and determined the data’s use. Microsoft assumes the role of a “processor,” as Microsoft’s cloud is processing and housing the data for you.

BOTH your organization AND Microsoft must abide by the GDPR mandates.

One of the unprecedented implications of the GDPR is that it applies to both controllers and processors, along with the fact that it does not exonerate organizations outside the EU. If found noncompliant, the fine can be as great as €20 Million ($24.6 million) or 4% of your annual global turnover.

 

How AssureSign Aligns Your  Business to the GDPR

The GDPR strengthens requirements around

  1. international scope/compliance,
  2. data consent and withdrawal on behalf of citizens,
  3. breach notification (time frame and reporting methods),
  4. release of data to citizens (in legible format),
  5. data protection officers, and
  6. other data safeguards.

 

We understand that regulatory changes may modify the way your business handles data or the third-parties chosen to process it… Take a look at our statement regarding our own GDPR alignment:

 

“At AssureSign, we’re committed to aligning our business practices with the highest of applicable ethical standards. In 2016, we voluntarily and publicly subscribed to the EU-U.S. Privacy Shield Framework upon its joint approval by the U.S. Department of Commerce and European Commission, requiring us to subscribe to a much higher standard of data protection and oversight than what’s required by U.S. law. The Privacy Shield is parallel to the European Union’s (EU) “Privacy by Design” framework, which comprises the General Data Protection Regulation (GDPR) taking effect on May 25, 2018. Resultingly, AssureSign has long been positioned to fully align with GDPR and its provisions, allowing our network of current and future electronic signature customers to legally and safely engage in multinational business affairs.”

 

Whether leveraging our on-premises, hybrid or cloud electronic signature deployment options, you can count on the safe and legal transfers of your organization’s and customer’s data… no matter where  you do business!

 

More Questions?

Still have questions about whether you’ll need to make changes before the GDPR takes effect? Want to learn more about how AssureSign’s electronic signature can help support GDPR compliance?

 

Contact us today!

 

Donald Kratt

Chief Technology Officer at AssureSign
Donald was brought into AssureSign’s sister company, 3PV, in 2003 and now oversees Software Engineering operations for AsssureSign where he helped architect the AssureSign platform and was responsible for constructing the original engineering team.