By Reggie Davis, General Counsel & Chief Privacy Officer, DocuSign
Today, the world recognizes Data Privacy Day. As privacy protection concerns and privacy laws around the world, such as Europe’s General Data Protection Regulation (GDPR) and California’s incoming digital privacy law (the California Consumer Privacy Act), continue to build, we are reminded to be more mindful of data privacy, safeguarding data, and enabling trust. Let us mark this day by increasing our awareness of data privacy and considering key data privacy practices in our everyday work.
Here are some best practices around maintaining privacy and enabling trust to keep in mind and share with your colleagues.
Have an eye for PII
Data privacy is focused on the use and governance of personally identifiable information (PII). PII includes personal information that alone, or in combination with other information, can identify an individual such as a subscriber, customer, prospect, vendor or a fellow employee.
Recognizing PII when you see it is a key step in protecting privacy. Accidental disclosure remains one of the most common ways that organizations fail their privacy obligations. Train yourself to raise a mental alert when you spot PII, including these examples:
Don’t need it, don’t collect it
If you collect PII, whether through a form, survey, or other means, a good mantra to remember is if you don’t need it, don’t collect it. This means we only collect PII for the specific business activity that we have set out to accomplish.
- What is the business purpose for collecting this PII?
- Can I accomplish the business purpose without collecting it?
- Am I collecting only what is necessary and proportionate?
Handle with care
Once you have the PII, use it only for your specific business purpose. Take care in the storage and sharing of information containing PII. Share or disclose PII only to those with a “need to know”, which helps to prevent accidental disclosure. Limit access to PII or systems to only those who require it to perform the core duties of their jobs.
- Is this action consistent with the business purpose for collection of the PII?
- Who should have access to this PII?
Delete if complete
At the end of the business activity or when the PII data is no longer needed, check to see if there are any requirements to retain the PII. If not, safely dispose of it.
- Has the business activity completed, and is the PII still needed?
- How do I delete or dispose of the PII safely?
Know before you act
One of the most important things you can do when handling PII is to simply become knowledgeable. When questions arise, verify your approach to data handling by leveraging company resources:
- Keep up-to-date on internal privacy-related policies, processes, and training that may apply to your role
- Am I familiar with—and do I understand—my organization’s policies and processes on how to handle PII?
Educating yourself before you handle PII is important. And remember, if something is amiss, or you suspect that there may be an issue, take action and contact your privacy or security group!
Privacy at DocuSign
Protecting personal information and maintaining strong privacy and information security practices continues to be a top priority at DocuSign. We proactively assess and address privacy risks, adhere to stringent global information security standards, maintain comprehensive privacy and security policies, and deliver privacy and security training to employees. DocuSign has received approval from the European Data Protection Authorities for Binding Corporate Rules (BCR), referenced within the GDPR and widely considered the “gold-standard” method for the transfer of personal data outside of the European Union.
For more information on our privacy and other trust topics visit the DocuSign Trust Center.