4 Key Criteria to Consider When Evaluating Solutions
The EU General Data Protection Regulation is now officially in effect. If your organization transacts with individuals and businesses on a global scale and is looking to implement e-signatures, ensure the solutions on your shortlist are able to demonstrate full compliance with the GDPR requirements. Here are four key criteria to consider.
The European Union’s (EU) new landmark privacy law called the General Data Protection Regulation (GDPR) [Regulation (EU) 2016/679] is now officially in effect. The GDPR expands the privacy rights of EU individuals and places new obligations on organizations that market, track or handle EU personal data. The rise of technologies such as the cloud and social media has changed the privacy landscape for good, and the EU’s updated data privacy standard takes into account the implications of these new technologies on personal data. The good news is that unlike its predecessor, the Data Protection Directive 95/46/EC that introduced administrative burdens and a fragmented legal framework, the GDPR is a single law and applies unilaterally across the EU as of May 25, 2018.
All companies that process and hold the personal data of individuals residing in the EU must comply with the GDPR, regardless of company location. This includes e-signature providers that help organizations around the world automate and digitize their manual, paper-based processes. E-signature solutions manage and process documents that may include personal data, therefore it is important that they ensure adequate privacy protection and empower citizens the right to access their personal data. If your organization transacts with individuals and businesses on a global scale and is looking to implement e-signatures, ensure the solutions on your shortlist are able to demonstrate full compliance with the GDPR requirements.
Here are four key criteria to consider when evaluating e-signature solutions to ensure they meet the security and data privacy needs of businesses in the EU:
1. Does it prohibit the export of personal data from the EU?
The solution should be able to meet data localization requirements by using a deployment model where the system used to process personal data is self-contained within the target region (i.e., the EU). This is important because data should be captured, processed and stored within in the target region and there should be no interconnection between the environments that would result in data and documents being transferred over to a different geographic area. If personal data leaves the EU and the e-signature system has a dependency on servers in other parts of the world (e.g., the U.S.), the solution is not meeting requirements outlined in the GDPR.
2. Does it ensure the “right of access?”
Part of the expanded rights of data subjects (i.e., your consumers) outlined by the GDPR is their right to obtain from the data controller (i.e., your business) confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Make sure the vendor you select ensures the right of access, a critical GDPR requirement.
3. Does it offer a flexible deployment architecture?
If your organization isn’t ready for the cloud, look for a provider that also offers both on-premises and private cloud deployment options with data centers around the world to meet regional data residency requirements. And because your IT and security needs will change over time, ensure that you have the flexibility to migrate from one deployment to the other.
4. Is it built on market-leading cloud infrastructure services (e.g., Amazon Web Services, Microsoft Azure, IBM Cloud, etc.)?
Proven and enterprise-ready e-signature solutions are built on compliant and highly secure global data centers with real-time replication of data, optimal performance and military-grade security of facilities. E-signature vendors with an “owned” data center strategy should be considered a risky bet.
Consult your legal counsel to determine the impact of the GDPR on your business and what you can do to ensure the GDPR-compliant processing of your data and documents. GDPR readiness is a shared responsibility. The GDPR is a shared journey, as it sets out obligations for the various parties involved in controlling and processing personal data. It is a set of regulations that go beyond a simple checklist of requirements that can be fulfilled by a service provider alone. GDPR compliance requires a partnership between the provider that processes personal data and the business or organization that controls it.