5 Strategies for GDPR and Data Privacy Compliance

General Data Protection Regulation (GDPR), brought into force in 2018 sets out to give individuals greater control of their personal data processed by third-parties. It not only impacts individuals but businesses worldwide by imposing requirements and liabilities around data processing activities. 

While there’s no singular roadmap to support your compliance efforts with GDPR, there’s no shortage of good practices for companies to manage not only GDPR, but also other data privacy laws including the CCPA in the US–and the Docusign Agreement Cloud can help. 

Here are five key strategies to meet GDPR requirements.

1. Identify risk areas across contracts—using Docusign and other sources.

In this digital day and age, organisations share personal data with third parties as a routine matter, but can these third parties be trusted? The GDPR (General Data Protection Regulation) extends the scope of responsibility to all parties processing data when it comes to data protection and privacy, meaning businesses should consider to how best to manage security incidents originating with service providers you may rely on as a subprocessor. GDPR imposes requirements on businesses that share or sell private data, including when the “sale” is not for traditional monetary gain. To address these requirements, you may want to know how your service providers and business partners collect and share personal data, both before and after you actually share data —and that requires an understanding of what’s in your agreements. One challenge is that contracts may not contain standardised terms around data privacy, so even a searchable contract repository may not be able to avoid a tedious manual review effort. 

Docusign Intelligent Insights, powered by Seal Software, uses AI-driven analysis to provide 360-degree visibility into your agreements, regardless of how and where they’re stored in your enterprise. Pre-configured to automatically and intelligently identify contract clauses triggering data privacy issues, Intelligent Insights provides a conceptual understanding of your providers’ and partners’ commitments around personal data use, enabling you to manage and mitigate GDPR risk where necessary.

2. Generate agreements with third parties that share data.

Once you’ve identified the gaps within your agreements regarding your data privacy provisions, you may want to amend and re-negotiate contract terms. Traditionally, “re-papering” agreements with a range of business partners and service providers was a painstaking, costly, and error-prone process. 

Docusign CLM streamlines this process by automating contract creation, negotiation, and approval. Contract Lifecycle Management (CLM) helps you efficiently build contracts by leveraging previously-approved clause language and source data from your enterprise systems. It also helps you shepherd agreements through complex negotiations and proprietary workflows. 

If your 3rd party relationships are managed in Salesforce, Docusign Gen for Salesforce provides an integrated solution to prepare, sign, and store these agreements efficiently and reliably. 

3. Execute third party agreements quickly and efficiently with all signatories.

Agreements that have been revised for GDPR compliance may need to be executed in an efficient and reliable way, while maintaining the integrity of these revisions to the underlying agreement. 

Docusign eSignature can reliably help support enforceability of revised agreements with timestamped, tamper-evident, and court-admissible audit trails. Plus, Docusign’s advanced workflow tools accelerate your execution process: The bulk send feature allows you to gather individual consent from a large number of users, while automated reminders and conditional routing keep complex approvals on track.

4. Collect provable consent to revised T&Cs, disclosures, and privacy policies.

GDPR requires that businesses notify consumers if they sell, share, or disclose personal information. Businesses may also be required to display a persistent “opt-out” option before their data is collected. To help ensure compliance on this front, businesses may desire to collect—and document—the consent of their consumers to revised End User License Agreements (EULAs), Terms and Conditions, privacy policies, and the like. 

Docusign Click provides an easily-auditable mechanism to capture consent to standard terms across all platforms, all with a single click. With Click, administrators can seamlessly process updates to existing agreements, so it’s clear which users have agreed to which version of an agreement. And Click is compatible with your existing Docusign eSignature infrastructure, so it’s easy to gain a unified view across your eSignature and clickwrap agreements.

5. Manage subject access requests—from submission to validation to secure delivery.

GDPR requires businesses to provide consumers the ability to obtain, have deleted, and stop the sharing of their information. Handling such data privacy “subject access requests” can be a burden and a compliance challenge, but it can also show a business’ commitment to consumer privacy and therefore enhance customer trust. 

  • Create a seamless experience for consumers to submit subject access requests. 

Docusign Guided Forms, provides easy-to-implement, customer-friendly forms to capture such information. Guided Forms provides step-by-step guidance to users and pre-fills forms with known data, so you get complete submissions and fewer errors.

  • Validate the requestor’s identity to confirm personal data with an intended data subject. 

Docusign Identify allows you to choose from several enhanced ID options including verifying government-issued IDs from a mobile device. This is especially valuable when the requestor can’t be reliably identified via the business’ own authorized account holder validation process.  

  • Process and deliver on data privacy requests in a secure and fully-auditable way.  

Docusign eSignature is used every day to securely route encrypted documents for approval, avoiding the need to email sensitive files through less secure channels, risk data exposure, and follow up to confirm receipt.  Docusign provides a powerful platform for businesses to approve and act on subject access requests—helping to ensure a comprehensive audit trail of every step and access point along the way as may be managed through eSignature. 

Learn more in our blog: 4 Things to Look for in a GDPR Consent Solution