On May 25, 2018, the General Data Protection Regulation (GDPR) became the main legal framework for data protection in the EU. Under the GDPR, EU citizens must consent to the processing of their personal data, and data controllers must meet strict requirements to obtain that consent. In fact, the conditions for obtaining consent have been fundamentally redefined compared to the previous data protection directive. In addition, the GDPR requires data controllers to have contracts in place with all their data processors (i.e. an external service that processes personal data on behalf of the controller). In both cases, electronic signatures are an appropriate means of complying with the GDPR.
The GDPR applies to any company that provides goods or services to EU citizens and handles personal data as a data controller or data processor, regardless of the size, location or industry of the company. If affected by a data breach, organizations that fail to comply with GDPR will face fines of up to €20 million or 4% of annual revenue, whichever is greater.
GDPR Consent
The GDPR defines consent as “any gratuitous, specific, informed and unambiguous indication of the data subject’s wishes by which, by means of a clear affirmative statement or action, he or she signifies his or her agreement to the processing of personal data relating to him or her.”
As mentioned in the consent guide of the Spanish Data Protection Agency (AEDP), data controllers should review their consent mechanisms to ensure that they comply with the requirements of the GDPR to be specific, independent, clear, prominent, empowered, documented and easily removed.
Nine key points are presented below:
- Unbundled: consent requests should be separate from other terms and conditions. Consent should not be a precondition for registering for a service unless it is required for that service.
- Accept option active: previously checked checkboxes are invalid. Use non-enabled checkboxes or similar active acceptance methods (e.g., a binary option with equal importance).
- Separate: provide separate options to consent separately to different types of processing where applicable.
- Named: name your organization and any third party relying on consent; even defined categories of third party organizations will not be acceptable under the GDPR if the organization is not named.
- Documented: keep records to demonstrate what an individual has consented to, including what he or she was told, and when and how he or she consented to it.
- Easy to withdraw: inform individuals that they have the right to withdraw their consent at any time and how to do so. It should be as easy to remove as it is to consent. This means that organizations must have simple and effective consent withdrawal mechanisms in place.
These requirements set a high standard for GDPR consent, but in turn help build trust, enhance brand and reputation, and avoid GDPR-defined fines.
Electronic signatures for consent
Any organization evaluating its consent mechanisms for GDPR compliance should consider the use of electronic signatures, especially when handling high-risk data such as personal financial information or medical records. Electronic signatures provide a secure, auditable and easy-to-use solution for complying with GDPR consent requirements. This technology is an appropriate method for data controllers to process data:
- Obtaining consent.
- Comply with the active acceptance requirement.
- Demonstrate details of how consent was obtained, including consents, when and by whom.
Electronic signature technology provides the ability to capture customer consent from any device. By supporting different signature methods, such as click-to-sign and click-to-launch, e-signatures make the user experience as simple as clicking, tapping a signature box on a document or typing a signature by hand on a touchscreen device.
It is important to recognize that an electronic signature is much more than a digital method of capturing a signature. Behind the screen is an electronic signature service that captures an electronic signature trace. full audit with a record of what the signatory consented toincluding when and how it was signed.
Under the GDPR, it is important to be able to demonstrate compliance after the fact. If your organization has not recorded all consent-related actions and does not keep reliable records, you run the risk of not being able to demonstrate compliance. Look for an electronic signature solution that records an auditable trace of what was signed, as well as the exact process used to capture signatures. This will help legal and compliance teams by providing direct visibility into when and how a signing process was carried out.
In the event that consent must be obtained in combination with other documents, such as terms and conditions, an electronic signature solution allows you to separate the signature from the documents and comply with the separation requirement of the GDPR. The electronic signature service also allows separate options within digital documents, so you can obtain separate consent for different types of personal data processing. And finally, when an organization changes data controllers, an electronic signature solution makes it easier to request a renewal of consent, if necessary.
The GDPR contract between the controller and data processors
When a data controller uses a supplier for the processing of personal data, The GDPR requires a contract with specific terms between the data controller and the data processor. The purpose of these terms is to ensure that this processor complies with the GDPR and that the controller demonstrates its compliance with the GDPR.
The importance of the contract and the required content of such a contract is described in the AEPD Guide to the GDPR as follows:
- “Contracts between controllers and processors ensure that both understand their obligations and responsibilities. They help them comply with the GDPR and help data controllers demonstrate their compliance with the GDPR. The use of contracts by controllers and processors can also increase data subjects’ confidence in the handling of their personal data.”
- “Contracts should set out the subject and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject, and the obligations and rights of the data controller.”
Electronic signature technology is widely used to sign contracts with customers and partners in a variety of industries and should be considered for signing contracts between the controller and the processor’s partners. Because consent may be required from multiple partners, look for an electronic signature solution that offers mass mailing capabilities to automate the process of sending consent forms to a large number of recipients.
Conclusion
One of the cornerstones of your GDPR compliance is having the right measures in place to capture, record and manage customer consent. Electronic signature solutions such as OneSpan Sign provide a means to comply with consent requirements and the requirement for signed contracts with data processors. As a by-product of your GDPR compliance, it can also help advance other e-signature projects in your organization’s project portfolio. So make sure you choose the best-in-class solution that can scale with your growing e-signature needs, today and tomorrow.
Article extracted from Security Boulevard.