Approved and adopted by the EU Parliament in April 2016, the General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. This new regulation aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the data that has been collected on them, and making data privacy rules as uniform as possible for businesses throughout the EU.

Once the GDPR comes into effect on May 25th, 2018, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location.

How DocuSign is preparing for GDPR

One of DocuSign's top priorities is the privacy and security of our customers' documents and data, and we are actively following the EU’s transition to the GDPR. We have already made important strides in the area of data protection, many which are applicable to the GDPR.

As an organization focused on trust and careful handling of customer documents, DocuSign has developed a strong compliance culture and robust security safeguards that are reflected in its ISO 27001 certification. As discussed in more detail below, DocuSign has received approval of its applications for Binding Corporate Rules as both a data controller and a data processor. DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is reviewing its data protection program and making adjustments to ensure compliance with the GDPR by May 25, 2018.

Europe’s Data Transfer Restrictions and the Role of Binding Corporate Rules

The European Union (EU) has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that do not ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies.

These approved BCRs demonstrate DocuSign’s strong commitment to data protection and to our robust internal data protection practices. Towards this end:

  • A global, DocuSign-wide privacy framework was reviewed and approved by European Data Protection Authorities
  • Approval allows the transfer of customer personal data from the European Economic Area (EEA) to outside of the EEA
  • Approval covers all the documents, signatures, and document-related transactional data generated when using the DocuSign signature service.

By relying upon DocuSign’s BCR-P certification, customers can:

  • Ensure compliance with EU data export rules wherever the personal data is processed within signature service
  • Be assured that personal data is protected whenever a sub-processor comes in contact with it
  • Demonstrate to their own customers that they are applying the ‘gold standard’ of data transfer mechanisms
  • Feel secure in knowing that DocuSign’s data protection policies and practices were reviewed with intense scrutiny of European DPAs