By Reggie Davis, General Counsel
A major milestone in data privacy regulation, the European Union General Data Protection Regulation (GDPR) will become effective on May 25th, 2018. Compliance with this regulation is fast approaching and has significant implications not just in the EU, but also for any enterprise and multinational organizations conducting business with EU member states.
Reshaping Data Privacy to Drive Consistency in the Internet Era
With the explosive growth of the Internet, the creation, collection, use and retention of personal data has become ubiquitous in today’s world of cloud and social media. GDPR aims to update data privacy standards to address today’s technology while remaining true to the set of original privacy principles established by the Organization for Economic Co-operation and Development (OECD) in 1980. Most importantly, GDPR is a regulation that will become enforceable in all EU member states on May 25, 2018.
Why US Companies Should Care About GDPR
GDPR applies not only to organizations based in the EU, but also to all companies processing and storing the personal data of EU citizens, regardless of where the company is located or where the data processing occurs. Further, GDPR may not apply to your company directly, but it may apply to your customers. Personal data includes any information that can be used to directly or indirectly identify the person, including name, email address, photos, posts on social media, medical information or even a computer IP address. It is important to note that the definition of personal data in the GDPR and EU is broader than most personal information definitions in the U.S.
Under GDPR, the penalties for non-compliance are significant. Organizations can be fined up to 4% of annual sales or 20 million Euro, whichever is greater.
Preparing Your Organization to Comply with GDPR
GDPR includes several requirements that benefit consumers and mandate increased control and transparency. The GDPR mandates the type of personal information that can be collected, how personal information needs to be stored and protected, and what organizations must do in the event of a data breach. The GDPR also places additional security requirements on organizations. Key tenets include:
Transparent & lawful personal data collection – With a focus on transparency, GDPR requires privacy notices to be in a clear and easy to read format, and include certain mandatory information. Where consent is the lawful basis for processing personal data, it must be specific, informed, unambiguous, and freely given by a statement or clear, affirmative action.
Limited storage/retention – Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Protecting personal data – Personal data must be handled in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Notification of data breaches – Data breaches which may pose a risk for individuals must be notified to the European Data Protection Authorities (DPA) within 72 hours and to the affected individuals without undue delay.
Learn more about how DocuSign can be a part of your GDPR solution.
Setting a High Bar for Digital Transaction Management
Many organizations begin their digital transformation journey by digitizing workflows with a digital transaction management (DTM) platform and eSignature solution. Because corporate documents often contain sensitive information and personal data, DocuSign believes it is important to set a high bar for data privacy when making the transition to digital.
One of DocuSign’s top priorities is the privacy and security of our customers’ documents and we are actively following the European Union evolution to GDPR. DocuSign currently meets or exceeds national and international security standards, including strict security policies and practices that set the standard for world-class information security in digital transactions and electronic signatures. DocuSign is ISO 27001:2013 certified as an ISMS, the highest level of global information security assurance available today. DocuSign also complies with the xDTM Standard, which sets a high quality bar for digital transaction management, as well as with specialized industry regulations, such as HIPAA, 21 CFR Part 11, and specified rules from the FTC, FHA, IRS, and FINRA.