By Reggie Davis, General Counsel

In September we highlighted the importance of the General Data Protection Regulation (GDPR) with its fast approaching May 25, 2018 effective date in our blog post, Compliance Deadline Fast Approaching for EU General Data Protection Regulation. Like many of our customers, DocuSign is preparing itself to comply with the GDPR requirements, and aligning business practices to potential GDPR use cases.

Building on our Strong Commitment to Data Privacy and Security

GDPR readiness is a daunting task, but DocuSign began preparing for GDPR by leveraging a strong history of controls and safeguards evidenced by its recognized certifications. DocuSign is ISO 27001:2013 certified as an ISMS, the highest level of global information security assurance available today. DocuSign also complies with the xDTM Standard, which sets a high-quality bar for digital transaction management, as well as with specialized industry regulations, such as HIPAA, 21 CFR Part 11, FedRAMP authorization, and specified rules from the FTC, FHA, IRS, and FINRA. Building on the foundation these certifications provide, and aided by the discipline necessary to obtain and maintain this wide range of robust certifications, DocuSign is positioned well to meet the controls that will be required by GDPR.

Analyzing the Gaps

To build upon DocuSign’s existing certifications, DocuSign sought guidance from well-established privacy and legal professionals who helped interpret and apply the GDPR requirements to DocuSign. This expert team conducted a gap-analysis between DocuSign’s existing compliance-driven common control framework, which includes controls required by DocuSign’s pending Binding Corporate Rules application with the Irish Data Protection Commissioner, and the new requirements of GDPR. DocuSign completed this gap-analysis to determine the tasks that it needed to incorporate across the DocuSign business and systems.

Categorizing Privacy-Related Tasks

The missing GDPR tasks that were identified were then distilled down further using recognized privacy tools that also assist with tracking the completion of such privacy-related tasks. This exercise allowed DocuSign to create a more structured and objectively unifiable approach to implementing and managing each new GDPR task by categorizing them into more understandable bite-sized chunks for the applicable DocuSign departments to digest.

Each category consists of multiple tasks. In some cases, each task provides sufficient context as to how it relates to the data privacy principles of GDPR. In DocuSign’s experience, however, organizing the tasks into specific categories, such as “maintain a privacy governance structure” helps provide the applicable departments better insight into the objective of those tasks.

By way of example:

Category 1: Maintain a privacy governance structure

Tasks:

  1. Engage senior management in data privacy
  2. Assign responsibility for data privacy to an individual representative (s)
  3. Align policies to demonstrate our process and our commitment to our customers and users
  4. Train each of our DocuSign employees on all privacy and security expectations

Category 2: Embed privacy by design

Category 3: Manage third-party risk

Creating a GDPR Leadership Team

In parallel to the work being done to identify the missing GDPR tasks, DocuSign formalized its GDPR leadership team with corresponding delegates to attack the tasks that must be completed to reach GDPR readiness. Moreover, the GDPR team is positioned to drive visibility and transparency to the company’s Executive Team and Board of Directors. Through its GDPR leadership team, DocuSign data protection and GDPR readiness is active and underway with visibility throughout the company.

The implementation of such compliance driven programs is not new to DocuSign and like its other certifications, DocuSign remains committed to approaching this initiative diligently with the utmost focus on securing and maintaining customer trust.