On May 25, 2018, the General Data Protection Regulation (GDPR) becomes the main legal framework for data protection in the EU. Under the GDPR, EU citizens must consent to the processing of their personal data – and data controllers must meet strict requirements for capturing that consent. In fact, the conditions to obtain consent have been fundamentally redefined compared to the previous Data Protection Directive. In addition, the GDPR requires that data controllers have contracts in place with all of their data processors (i.e., a third party service that processes personal data on the controller’s behalf). In both cases, electronic signatures are an appropriate means to comply with the GDPR.
The GDPR applies to any company offering goods or services to EU citizens and managing personal data as a data controller or data processor, regardless of the company’s size, location, or industry. If hit by a data breach, organizations that are not compliant with the GDPR face fines up to 20 million euro or 4% of annual revenue, whichever is greater.
The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
As mentioned in the Information Commissioner’s Office (ICO) GDPR consent guidance, data controllers will need to review their consent mechanisms to make sure they meet the GDPR requirements on being specific, granular, clear, prominent, opted-in, documented, and easily withdrawn.
Key new points summarized by the ICO:
- Unbundled: Consent requests must be separate from other terms and conditions. Consent should not be a precondition of signing up to a service, unless necessary for that service.
- Active opt-in: Pre-ticked opt-in boxes are invalid – use unticked opt-in boxes or similar active opt-in methods (e.g., a binary choice given equal prominence).
- Granular: Give granular options to consent separately to different types of processing wherever appropriate.
- Named: Name your organization and any third parties that will be relying on the consent – even precisely defined categories of third-party organizations will not be acceptable under the GDPR.
- Documented: Keep records to demonstrate what an individual has consented to, including what they were told, and when and how they consented.
- Easy to withdraw: Tell people they have the right to withdraw their consent at any time, and how to do this. It must be as easy to withdraw as it was to consent. This means that organizations will need to have simple and effective withdrawal mechanisms in place.
These requirements set a high standard for GDPR consent, but in turn help build trust, enhance brand and reputation, and avoid the fines defined by the GDPR.
Electronic Signatures for Consent
Any organization evaluating their consent mechanisms to comply with the GDPR should consider the use of electronic signatures – especially when handling high-risk data, such as personal financial information or medical records. Electronic signatures provide a secure, auditable, and easy-to-use solution for compliance with the GDPR consent requirement. This technology is an appropriate method for data controllers to:
- Capture consent
- Comply with the active opt-in requirement
- Demonstrate the details of how consent was obtained, including what was consented to, when, and by whom
Electronic signature technology provides the ability to capture customer consent from any device. By supporting different signature methods, including click-to-sign and click-to-initial, electronic signatures make the user experience as simple as clicking/tapping a signature box in a document or hand-scripting a signature on a touchscreen device.
It is important to recognize that an e-signature is much more than a digital method to capture a signature. Behind the scenes, an e-signature service captures a comprehensive audit trail with a record of exactly what the signer consented to, including when and how they signed.
Under the GDPR, it is important to be able to demonstrate compliance after the fact. If your organization has not recorded all actions related to consent and maintained reliable records, you risk not being able to demonstrate compliance. Look for an e-signature solution that records an audit trail of what was signed, as well as the exact process used to capture signatures. This resonates well with legal and compliance teams, because it provides direct visibility into when and how a signing event took place.
In the case where the consent has to be obtained in combination with other documents, such as terms and conditions, an electronic signature solution allows you to separate the signing of the documents and comply with the GDPR’s unbundled requirement. The electronic signature service also allows for granular options within the digital documents, so you can capture consent separately for different types of personal data processing. And finally, when an organization changes data controllers, an electronic signature solution makes it easy to request a renewal of the consent, if required.
The GDPR Contract between Data Controller and Data Processors
Whenever a data controller engages a third party for the purpose of personal data processing on behalf of the controller, the GDPR requires a contract with specific terms between the data controller and the data processor. The goal of these terms is to ensure that the data processor complies with the GDPR and to enable the data controller to demonstrate their compliance with the GDPR.
The importance of the contract, and the required content of such a contract, is described in ICO’s Guide to the GDPR as follows:
- “Contracts between controllers and processors ensure that they both understand their obligations, responsibilities and liabilities. They help them to comply with the GDPR, and help controllers to demonstrate their compliance with the GDPR. The use of contracts by controllers and processors may also increase data subjects’ confidence in the handling of their personal data.”
- “Contracts must set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the controller.”
E-signature technology is widely used to e-sign customer and partner contracts across a variety of industries and should be considered for signing contracts between the data controller and data processor partners. And because consent from multiple partners may be required, look for an e-signature solution that offers bulk sending capabilities to automate the process of sending consent forms to a large number of recipients.
One of the cornerstones of your GDPR compliance is having the appropriate measures in place to capture, record, and manage customer consent. Electronic signature solutions such as eSignLive by VASCO provide a means to comply with both the consent requirements and the requirement for signed contracts with data processors. As a by-product of your GDPR compliance, you may also help move forward other e-signature projects in your organization’s pipeline. Therefore, make sure to choose a best-in-class solution that can scale with your growing e-signature needs – today and tomorrow.
- Learn more about electronic signatures: https://www.esignlive.com/
- Learn more about GDPR and two factor authentication: https://blog.vasco.com/authentication/gdpr-two-factor-authentication/