Despite the GDPR coming into effect next May, some 60% of companies are thought to have yet to make plans for compliance. The GDPR represents a huge shake up to data protection, but offers great opportunities for businesses to re-engage with customers and differentiate themselves in the market.
As one of the four breakout sessions at this year’s MomentumX, the GDPR Legal Panel discussed the impact of the regulation on European businesses and individuals, with a specific focus on consent and how eSignatures and DocuSign can be a part of a GDPR solution.
- Tracy Beam, Principal Digital Strategist, DocuSign
- Renzo Marchini, Partner, Fieldfisher LLP
- Elena Gilotta, Director of EMEA Legal Compliance, Box
- Jacqueline de Gernier, Area Vice President, DocuSign
Tracy: Renzo, how are you seeing your clients reacting to the GDPR?
Renzo: In a number of ways. There are obviously the early adopters, often those who have great privacy in-house teams, but we do have quite a lot of clients who are coming later to grappling with the issues. People are still waking up and asking what they do about GDPR. Fully regulated entities are often those that have started early. There are also those that just want quick easy wins.
Tracy: Elena, how does Box approach data privacy and security?
Elena: Box has been working with data privacy for a long time. It has always been in the design of the product. Box’s approach to data privacy is always to go to the highest bar, identify any gaps, and make sure Box is compliant. With the GDPR, Box is focusing a lot on Europe, of course.
Tracy: Jacqui, can you tell us about some of the GDPR-related discussions you’re having with customers?
Jacqui: I guess the discussions can be put in two buckets, so to speak. A lot of customers want to speak about how we’re preparing for the GDPR and we’re very happy to talk them through some of the existing security credentials that we have in place and some of the things we are working on as we prepare for May 2018.
The other part of the discussions we’re having is actually how we can help organisations with their preparations for compliance. A lot of businesses – some of them very small, some of very large – have been approaching DocuSign and asking how we can help them very quickly and very easily achieve consent both with consumers and employees. I think a lot of conversations concern customer consent, but it’s also EU-based employee consent as well.
Our tools include an audit trail that proves that consent was given and yes, an eSignature is not necessarily required, but it does need to be unambiguous consent so an eSignature is a very good way of providing that.
Tracy: Renzo, what are the key areas you would advise your clients to consider?
Renzo: The starting point is understanding where the data is. That’s not only because of Article 30 of the GDPR (which requires records to be kept), but also because it drives every other compliance activity. If you don’t know what data you have and where it is, how can you sort out the cross-border flows? How do you know if you need consent or if you need to align legitimate interests, or whatever it might be?
We have 200 working days before it comes into force and there is a lot to be done if you’re doing everything. The quick low-hanging fruit items are getting your privacy notices (which people can easily see) up to date so people. You need to re-procure your contracts and renegotiate the key contracts particularly.
Tracy: Elena, from a client perspective, what internal teams are you working with?
Elena: There are four major groups: product, it’s compliance itself, it’s legal, and HR, with a few other groups that are heavily involved. All the various groups that need to be compliant have their life made easier by having something like Box enterprise-wide. All of the data is in Box. All of the data mapping comes out much easier, making it easier to comply.
Tools like DocuSign also make it easier on other levels. We use DocuSign for everything that is employment-related and it’s so much easier tracking all the consent for that.
Tracy: Renzo, how much is the GDPR an opportunity to be transparent to customers in their practices?
Renzo: Yes, privacy is a good thing. There are organisations out there that will take the GDPR by the horns. It’s a great opportunity to tell people that we are a brand that you should be happy to do business with. Many companies, even those not applying for BCRs [Binding Corporate Rules], are taking the GDPR as an opportunity to transform informational governance throughout the organisation. Other countries will also want to maintain the so-called adequacy standard and keep up to speed. It’s a great opportunity for everyone to increase that interaction with their data subjects.
Tracy: Jacqui, what do you think the GDPR means for DocuSign and its customers?
Jacqui: It’s given us an opportunity to talk to our customers about new use cases and consent, so it’s a great way for us to continue to add value to how they’re using DocuSign. The GDPR has really been a way of forcing security and trust up the agenda and putting a lot more emphasis on that part of the discussion.
The security of the DocuSign platform can be a really key differentiator when customers are deciding between different solutions. The GDPR has given us a really nice framework to emphasise that. It’s also given customers the opportunity to look at some of their existing processes and to re-engineer or enhance them, and it’s a great way for them, in turn, to differentiate.
To learn more about the GDPR and how DocuSign can enhance your ability to comply, watch our webinar with Phil Lee, Partner at Fieldfisher.