What is GDPR?What is GDPR?
The General Data Protection Regulation (“GDPR”) is a European data protection law that will be enforced as of May 25, 2018. It aims to update data privacy standards to address the increase in the creation and processing of personal data in today’s technology, including the cloud and social media with robust accountability. In short, GDPR with its new requirements for handling personal data and documenting those practices requires organizations that process personal data to be accountable for it. It also emphasizes increased transparency and choice for data subjects (i.e. the individuals described by personal data).
What are Binding Corporate Rules (BCRs) and does DocuSign have them?
BCRs are a set of internal binding rules that define a corporation’s global policy with regard to data protection. BCRs are submitted to data protection authorities in the EU who review them, request changes or clarifications where they wish, and ultimately approve them as providing an adequate level of protection for the privacy and fundamental rights of individuals in the EU. Once approved, personal data transferred to and within the corporate family is protected by this rigorous data protection scheme. DocuSign is committed to achieving and maintaining customer trust, and in this endeavor, DocuSign is actively pursuing BCRs. DocuSign has submitted BCRs for approval by data protection regulators in Europe.
What is the difference between BCR and GDPR?
BCR stands for binding corporate rules. GDPR stands for the General Data Protection Regulation. GDPR mentions BCR as an approved means of ensuring adequate privacy protection for personal data exported from Europe to countries like the United States.
- BCR is one of three approaches to ensuring adequate privacy protection for personal data exported from the EU to countries like the United States. The other two are standard contractual clauses and the EU-US Privacy Shield. Without one of these measures in place, exports of personal data from the EU to the United States are not lawful. BCR is regarded by some as the gold standard for data transfers because it entails regulator review of an organization’s data protection practices and is explicitly mentioned in the GDPR.
- BCR is relevant to GDPR compliance because it indicates a high level of maturity in data protection, but meeting the requirements of BCR does not ensure compliance with the additional requirements of GDPR.
- GDPR is a new data protection law in Europe. Like previous data protection laws in Europe, it prohibits exports of personal data from the EU to the United States unless an adequate transfer mechanism like BCR, standard contractual clauses or Privacy Shield is in place.
What is DocuSign doing to prepare for GDPR?
As an organization focused on trust and careful handling of customer documents, DocuSign has developed a strong compliance culture and robust security safeguards that are reflected in its ISO 27001 certification. DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is reviewing its data protection program and making adjustments to ensure compliance with the General Data Protection Regulation (“GDPR”) by May 25, 2018. DocuSign’s ongoing commitment to data protection is evidenced in a variety of ways:
- DocuSign has drafted binding corporate rules (“BCR”), including privacy codes,and submitted them with supporting documentation for approval by supervisory authorities in Europe.Upon approval DocuSign’s BCR will be very helpful to GDPR compliance.
- DocuSign currently enters into EU-approved Controller to Processor Model Clause Agreements with customers to ensure adequate protections for the privacy of EU data subjects and compliance with the law.
- DocuSign has and maintains certifications for ISO 27001 and PCI Data Security Standard.
- DocuSign maintains controls sufficient to meet the objectives of SOC1 and SOC2, or equivalent standards and is assessed against those standards annually.
- All ‘eContract Data’ created by our customers when using the DocuSign service is automatically encrypted with an AES 256-bit, or equivalent, encryption key.
- eContracts processed by DocuSign for customers in the EEA can be stored in European data centers.
Is DocuSign using DocuSign Signature to support its GDPR compliance efforts?
DocuSign commonly employs DocuSign Signature to support internal processes, such as policy creation, review and approval. DocuSign also leverages DocuSign Signature to deliver and track training. These efforts are important aspects of DocuSign’s GDPR compliance efforts.
- Because DocuSign Signature is well-suited to securing consent in accordance with the GDPR, DocuSign will look closely at deploying it for use cases where DocuSign relies on consent as a lawful basis for processing personal data.
- DocuSign typically uses DocuSign Signature to execute contracts with its service providers, including data processors. DocuSign will deploy DocuSign Signature as a part of its efforts to ensure that its agreements with data processors contain the data protection terms required by GDPR.
Can DocuSign offer GDPR terms in its contracts?
DocuSign can agree to comply with applicable law and can promise to add certain terms required by GDPR closer to its date of enforcement. DocuSign will continue to monitor developments regarding GDPR, particularly regulator interpretations and guidance, as it crafts the contractual provisions indicated by GDPR.