The GDPR Is Here. Is Your E-Signature Solution Compliant?
The European Union’s (EU) new landmark privacy law called the General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] is now officially in effect. The GDPR expands the privacy rights of EU individuals and places new obligations on organizations that market, track or handle EU personal data. (Read about the five key areas of data privacy that the regulation addresses here). The rise of technologies such as the cloud and social media has changed the privacy landscape for good, and the EU's updated data privacy standard takes into account the implications of these new technologies on personal data. The good news is that unlike its predecessor, the Data Protection Directive 95/46/EC that introduced administrative burdens and a fragmented legal framework, the GDPR is a single law and applies unilaterally across the EU as of May 25, 2018.
Is Your E-Signature Solution Ready for the GDPR?
All companies that process and hold the personal data of individuals residing in the EU must comply with the GDPR, regardless of company location. This includes e-signature providers like OneSpan that help customers globally automate and digitize their manual, paper-based processes. If your organization transacts with individuals and businesses on a global scale and is looking to implement e-signature, ensure the solutions on your shortlist are able to demonstrate compliance with the GDPR requirements. The implementation of new compliance programs such as the GDPR is not new to the OneSpan team. We have consistently reinforced our commitment to data security and privacy, and we were first to meet some of the most stringent requirements in the market. For example:
- In 2014 and 2015, we became the first e-signature company to successfully complete the SOC 2 attestation.
- In 2014 and 2016, we launched instances of OneSpan Sign in data centers in Canada, Europe, and Australia to help meet our customers’ data residency needs in those regions.
- In 2016, we became the first e-signature solution granted the Authority to Operate (ATO) under the U.S. Government’s FedRAMP.
Building on the foundation of these achievements and our strong history and roots in the security business have enabled us to fast track our own GDPR readiness. We analyzed the requirements and delivered a number of enhancements over the last several product releases to ensure we met the personal data protection requirements under the GDPR. By way of example, we underwent steps to meet data localization requirements by using a deployment model where the system used to process customer data is self-contained within the target region (e.g., the EU). Data is captured, processed and stored within the system boundary in the target region and there is no interconnection between the environments that would result in customer documents being transferred over to a different geographic area. As a trusted data processor, OneSpan committed to compliance on day 1 to help you with your GDPR compliance journey. With the GDPR now in full effect, our customers can rely on OneSpan Sign for GDPR-compliant processing of their documents. We’ve also updated our Terms & Conditions and Privacy Notice, and added the new Data Processing Addendum (DPA) to reflect the increased transparency requirements of the GDPR. These updates reinforce our commitment to data privacy and provide our customers with more clarity and control over how we collect and use personal data when delivering our best-in-class e-signature service.
GDPR Readiness: A Shared Responsibility
The GDPR is a shared compliance journey as it sets out obligations for the various parties involved in controlling and processing personal data. For example:
- Your role as a data controller: You will determine the personal data we process and store on your behalf.
- Our role as a data processor: As a provider of software and services to our customers, we’re acting as a data processor for the personal data you ask us to process and store as part of providing the services to you.
The GDPR is a set of regulations that go beyond a simple checklist of requirements that can be fulfilled by a service provider alone. GDPR compliance requires a partnership between the provider and the customer who controls personal data.
Using OneSpan Sign to Enhance Your Company’s Ability to Meet GDPR Requirements
Is your organization struggling on where to start or how to accelerate your own GDPR readiness? Any organization evaluating their consent mechanisms to comply with the GDPR should consider the use of electronic signatures – especially when handling high-risk data, such as personal financial information or medical records. Electronic signatures provide a secure, auditable, and easy-to-use solution for compliance with the GDPR consent requirement. This technology is an appropriate method for data controllers to:
- Capture consent
- Comply with the active opt-in requirement
- Demonstrate the details of how consent was obtained, including what was consented to, when, and by whom
Electronic signature solutions such as OneSpan Sign provide a means to comply with both the consent requirements and the requirement for signed contracts with data processors. We can help you automate the process of sending consent forms and enable your recipients to electronically consent and sign from anywhere and on any device.