The General Data Protection Regulation (GDPR) will come into force in May 2018 across the EU, changing the way businesses record and store personal data. A year from now may seem a way off but businesses need to consider their GDPR strategies sooner rather than later to ensure compliance.
GDPR’s main objective is to define the responsibility of businesses that hold personal data and ensure security, as well as the introduction of increased fines for data breach.
The Information Commissioner’s Office (ICO) is currently still publishing guidance on the upcoming regulation but the main principles have been outlined.
Transparency and accountability are key and businesses need to be able to prove to both customers and the government that they are committed to securing sensitive personal data and using it as stated.
It is important to remember that GDPR will not only apply to European states but also to any company that has information on EU citizens, meaning almost all businesses will be affected by the change in regulation.
GDPR compliance through documentation
One of the main elements of GDPR is the “accountability principle” – which requires a company to demonstrate that they comply with the principles of GDPR and explicitly state their responsibility over the personal data they hold on individuals.
Businesses will need to ensure they are transparent about data processing with customers, clearly stating how and what personal data will be used for and the retention period of personal data.
Any consent given to use personal data must be verifiable – through a record of how and when consent was given.
The ICO states that “silence, pre-ticked boxes or inactivity does not constitute consent”. Businesses must receive clear consent to use any personal data.
An Advanced Electronic Signature (AES) could be an option for businesses to demonstrate and document consent. This provides proof of the identity and consent as it is uniquely linked to the signer, as well as preventing further changes to the document.
The long-term verification of an AES can also be used for proof of compliance and documentation for GDPR. This would help businesses comply with 5(2) of GDPR, maintaining relevant documentation on processing activities.
Advanced signatures following the ETSI PAdES standards ensure documents cannot be altered and provide long-term verification.
With SigningHub there is also the capability to place signing markers in documents to ensure signers have thoroughly read key information in documents.
Documents of consent that are signed with secure e-signatures could help businesses ensure compliant GDPR practices and provide documentation should regulators ever come knocking or if customers request evidence.
Find out more about the different types of e-signature here.