How OneSpan Sign Helps Capture Customer Consent Under GDPR
The General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] came into force across all 28 EU member countries on May 25, 2018. It represents the most significant data protection change in today’s digital era. The GDPR is a root-and-branch reform of Europe’s existing data protection framework, the EU Data Protection Directive (Directive 95/46/EC). While many of the core principles remain the same – including the need for fairness, transparency, lawfulness of processing, and data security – the GDPR expects businesses not only to comply with EU data protection requirements, but also to be able to demonstrate compliance. The regulation contains a number of new protections and threatens significant fines and penalties for non-compliance.
GDPR: 5 key points about private data
The EU wants to provide its citizens with more control over how their personal data is used. Examples of personal data include physical appearance, nationality, religious beliefs, cultural background, sexual orientation, social status, financial strength, memberships, education, medical conditions, and mental state. At the same time, the European Union wants to give businesses a simpler, clearer legal framework in which to operate. This means a single, unified data protection law throughout the market.
The GDPR is much more demanding, and applies more broadly, than existing EU data protection requirements. The following are five key areas that the GDPR addresses to ensure the protection of its citizens’ personal data.
- Breach notification: The GDPR breach notification requirement has caught organizations' attention (and CISOs in particular) because it sets a high bar for the mandatory notification of security incidents. Under the GDPR, a breach notification is mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals."
- Right to access: Part of the expanded rights of data subjects (e.g., consumers) outlined by the GDPR is their right to obtain from the data controller (e.g., business or organization) confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Moreover, the controller has to provide a copy of the personal data, free of charge, in electronic format.
- Nominate a DPO: Data Protection Officers (DPOs) are responsible for overseeing the data protection strategy and its implementation, to ensure compliance with GDPR requirements. Under Article 37, a DPO is a mandatory role for all companies that collect or process EU citizens’ personal data. The DPO is responsible for educating the company and its employees on important compliance requirements, training staff involved in data processing, and conducting regular security audits.
- Right to be forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in Article 17, include the data being no longer relevant or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
- Obtaining valid customer consent: Customer consent under GDPR requires that consent must be "freely given, specific, informed, and unambiguous", enabling customers to make choices about how and why their personal information is being used. Customers who feel in control of the data that a business possesses about them are likely to have higher levels of trust in that business.
Why is this a business opportunity?
The GDPR is an expansion of the ability to manage the use of data. One of the key aims in implementing the regulation is to create a level playing field between the public and private sectors to enable data exchange. For CISOs, GDPR provides a good opportunity to upgrade your organization’s security capabilities to meet the regulation’s requirements and improve overall security vis-a-vis data confidentiality and privacy.
How OneSpan Sign helps capture customer consent under GDPR
The requirement to capture customer consent under GDPR is critical. In fact, organizations must capture explicit and affirmative consent before processing personal data. As a result, data subjects need to be clearly informed about their rights to withdraw consent and need to be able to do so easily if desired.
The Article 29 Data Protection Working Party (WP29) has provided guidelines on consent under the EU regulation and defines what explicit consent entails. It must be:
- Freely given
- An "unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."
Explicit consent is required in certain situations where serious data protection risk emerges. In other words, where a high level of individual control over personal data is deemed appropriate. OneSpan Sign is a best-in-class e-signature solution used by some of the world’s most security-conscious organizations. Thanks to its bulk send capability, you can automate the process of sending consent forms to a large number of recipients. The solution has the ability to capture data and consent, anytime, anywhere, and from any device, so that consent can be obtained quickly.
With OneSpan Sign, you can send consent forms in a single action (and trigger reminders, when necessary) to capture consent in real-time – with complete visibility into the status of your transactions. And thanks to integrations with third-party apps and systems, the data can be automatically fed into your organization’s system of record of choice. Whether that's a CRM, an HRM or an ERP system, the consent process can be 100 percent automated.