GDPR Consent and E-Signatures

Although a piece of EU legislation, Brexit will have no impact on the implementation on the GDPR. As of 25th May 2018, all companies and organisation that collect, process and/or manage personal data must have a robust policy in place that complies with the regulations. Failure to do so will result in costly fines that […]

Although a piece of EU legislation, Brexit will have no impact on the implementation on the GDPR. As of 25th May 2018, all companies and organisation that collect, process and/or manage personal data must have a robust policy in place that complies with the regulations. Failure to do so will result in costly fines that can equate to 4% of annual revenue or €20 million (whichever is greater).

What is GDPR Consent?

The GDPR is explicit in what constitutes ‘consent’ and is defined as:

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

It is the responsibility of all companies and organisations to review their current methods of data collection, storage and distribution to ensure that they meet the requirements of the GDPR. Consent should be:

  • A standalone mechanism.
  • Opt-in, not opt-out.
  • Fully documented with an audit trail of how, when and where it was obtained.
  • Granular with options for differing degrees of consent.
  • Clear, concise and specific
  • Able to be withdrawn easily by the data subject.

The Information Commissioner’s Office (ICO) has published guidance documents on the best practice to achieving these pre-conditions. The key points of this guidance can be summarised as follows:

Standalone

A request for consent under GDPR should not be bundled with other terms and conditions and be a separate mechanism for obtaining authorisation. The consent for data collection should not be a precondition to any service unless it is an essential component of that service.

Active Opt-In

In the past, consent for data collection (among other things) has been an ‘Opt-Out’ mechanism with pre-checked boxes being a common method for ensuring that users register their details. The GDPR is explicit in this regard and a data subject must be able to make an active decision to consent to their data being processed.

Audit

Obtaining consent is one element of the GDPR but companies must also be able to demonstrate exactly what a data subject has consented to, including details of when they consented, and by what method this consent was obtained.

Granular

Where appropriate, consent should be obtained via the use of well separated and defined options as to the type of data processing an individual is consenting to.

Get Specific but be Clear

It should be immediately obvious to users exactly how their data is going to be used, stored and shared. This includes the specifics of ‘who’ the data is used by and for what purposes. Always name your organisation alongside any third parties to demonstrate that there is no ambiguity in what is being consented to.

Easily Withdrawn

GDPR consent must be accompanied by a simple and clear statement that a data subject can withdraw their consent at any time. This should be accompanied by the means by which they can do this. The ICO insists that withdrawing consent for GDPR should be as easy for an individual to do as it was to consent in the first place.

The standards set by the GDPR are high and represent a growing demand by the general public for data security. This valuable commodity is a mainstay for many businesses sales, marketing and research activities and has not always been treated with the privacy and security that it deserves. The main objective of the GDPR is to address this issue but it would be naïve to imagine that there are not greater benefits available to companies who can implement these measures effectively.

A survey by the Open Data Institute (ODI) in February 2018 identified that 94% of consumers said that trust was important in deciding whether to share personal data. However, the same survey revealed that only 22% of consumers trust online retailers with their personal data, 57% trust banks and 41% trust local government. Clearly companies who can master the requirements of GDPR will benefit from enhanced brand reputation as well as avoiding potential fines.

Obtaining Consent with Electronic Signatures

Electronic signatures have long been used as a means of obtaining clear and secure authorisation from users for many different applications. They are most often used in situations where legal compliance is a factor, particularly for high-risk data such as financial or medical information.

Not only does electronic signature offer an auditable means of obtaining consent under the GDPR but it is a trusted method of compliance. The technology is compatible with most commonly used devices and offers a simple to use interface, including click-to-sign and click-to-initial e-signatures.

An e-signature solution that offers an audit trail of what was signed along with the full process of the capture method can demonstrate full compliance under GDPR.

Third Party Data Processing and Electronic Signatures

The benefits afforded by e-signatures for initial consent can also be applied to third party data processing contracts. The same simple, reliable and secure method can also be used to set up the contracts between the data controller and their data processors.

This is crucial under GDPR and is an element of the exchange of data beyond the relationship between the data subject themselves and the company they consented to share personal information with. Whenever you share your collection of data with a third party then you must ensure that this is treated with the same compliance methods as the original consent.

E-signature technology used to establish a contract between data controllers and data processors not only ensures wider GDPR compliance but also enhances the trust between the data subject and the organisation they choose to share their personal data with.

Choosing an E-Signature Solution

Capturing, storing and managing customer consent is a critical element of GDPR compliance and opting for an e-signature solution that has full auditing is essential.

Another consideration is scalability and choosing a solution that can meet the current and future demands of your data processing. This should also take into consideration how and where in your organisation e-signature technology can further improve security and efficiency beyond GDPR compliance alone.

OneSpan Sign by Vasco not only covers the consent process but also includes provision for contracts with third party data processors. Easy to use but robust and secure, this flexible and scalable solution offers comprehensive auditing and customisable e-signature technology. A best-in-class product, OneSpan (formerly eSignLive) is a cost effective solution for GDPR compliance as well as other e-signature needs.