Approved and adopted by the EU Parliament in April 2016, the General Data Protection Regulation (GDPR) represents the most important data protection regulation change in over 20 years. This new regulation aims to strengthen data protection for individuals within the EU, giving them greater say over what companies can do with the data that has been collected on them, and making data privacy rules as uniform as possible for businesses throughout the EU.

Once the GDPR comes into effect on May 25th, 2018, all companies processing and holding the personal data of subjects residing in the EU must comply with it, regardless of location.

How DocuSign is preparing for GDPR

One of DocuSign's top priorities is the privacy and security of our customers' documents and data, and we are actively following the EU’s transition to the GDPR. We have already made important strides in the area of data protection, many which are applicable to the GDPR.

As an organization focused on trust and careful handling of customer documents, DocuSign has developed a strong compliance culture and robust security safeguards that are reflected in its ISO 27001 certification. As discussed in more detail below, DocuSign has drafted binding corporate rules (“BCR”), including privacy codes, and submitted them with supporting documentation for approval by supervisory authorities in Europe. DocuSign’s GDPR compliance efforts will leverage these assets. DocuSign is actively monitoring regulator guidance and interpretations of key GDPR requirements to inform its efforts, and, like many cloud service providers, is reviewing its data protection program and making adjustments to ensure compliance with the GDPR by May 25, 2018.

Europe’s Data Transfer Restrictions and the Role of Binding Corporate Rules

The European Union (EU) has some of the strictest and most comprehensive data export requirements in the world. European data protection laws prohibit the transfer of personal data from the European Economic Area (EEA) to countries outside of the EEA that do not ensure an "adequate level of data protection." Binding Corporate Rules (BCRs) are one mechanism for lawful exports and are ideal for multinational companies.

Considered the gold standard for data protection, BCRs are a strict set of rules for the members of the corporate family. BCRs are recognized under current data protection law and the GDPR as a mechanism to protect the privacy and fundamental rights and freedoms of European data subjects and to permit lawful transfer of data outside of the EEA. They are very difficult to obtain, with European DPA approval, which includes a lead DPA and two consulting DPAs, typically taking 1-2 years as well as the significant resources required to draft, implement, and maintain.

Only the most privacy-committed organizations successfully achieve BCR certification. To date, fewer than 100 companies worldwide have obtained BCR approval; and of those, only a few are approved as BCR for processors (BCR-P). Adherence to the BCR Codes is backed by audits and staff training programs, which are overseen by an internal privacy compliance team and made binding by a company-adopted legal instrument.  DocuSign is committed to achieving and maintaining customer trust, and in this endeavor, DocuSign has drafted binding corporate rules (“BCR”), including privacy codes, and submitted them with supporting documentation for approval by supervisory authorities in Europe. Currently, DocuSign is awaiting approval for its submitted BCR applications.

BCR for Processors

Like standard BCRs, BCR-P are a global, company-wide privacy framework that allows the transfer of customer personal data outside of the EEA once they have been approved by European DPAs. Specifically, BCR-P govern the transfer of personal data by a company acting as a data processor. All DocuSign group members have signed the BCR-P and will be bound to comply with them. The BCR-P will help ensure robust data protection practices throughout the corporate family and satisfy the European standards of data protection for customer personal processed by DocuSign via the DocuSign Signature service.