DocuSign on GDPR – Procurement Professionals Need to Act Now

At the recent BravoSolution utilities sector customer event in Cardiff (see our round up here), Max Garth, corporate counsel at DocuSign spoke about GDPR (the general data protection legislation). This is an issue that is occupying more and more time for procurement people – and if it isn’t being discussed in your organisation and your procurement team, it probably should be.

Garth, a lawyer by training, explained that GDPR really builds on existing data protection regulations – it is not “new” in a true sense.  He sees it as an opportunity to build trust and better relationships with customers. There are penalties of course but you can and should look on it as a positive.

Any business established in Europe or worldwide which offers goods or services to individuals in the EU – or monitors the behaviour of individuals – is caught by the regulations. There are strict obligations to gain consent from “data subjects” (i.e. if you hold information about anybody), and “data processors” who work with the data are now legally responsible for their actions as processors. There are enhanced security obligations and breach notifications are now required, not just advisable.

There is more focus on record keeping, to ensure it is appropriate, and every organisation should regularly ask themselves the question  – “do I need to hold that information”? If not, get rid of it (securely of course). Under GDPR, consent to hold data must be freely given, specific, informed and unambiguous.

The interesting questions for procurement are around what actions we should be taking with our suppliers now and on an ongoing basis. If a supplier is holding data that is connected with our customers (or staff) for instance, and that supplier falls foul of the rules, then the regulator can go after the supplier rather than you. That’s the good news. However, it really helps “if you can demonstrate you have done everything you can reasonably be expected to do”, explained Garth.  In that case, the supplier will probably carry the can. But if you can’t show that … the regulator may come after you.

This means organisations may need to take a more structured approach to onboarding new suppliers, as well as moving legacy (existing ) suppliers to new compliant data protection contractual terms. It doesn’t mean you should fire any supplier who does not agree to your terms, but you need to show you have taken reasonable steps to ascertain that suppliers are complying.

The sort of use cases Garth mentioned included marketing – personal information for e-marketing for example. In HR, there will be data relating to job applications and employee benefits. Personal data will also be held in the medical field, and online, there needs to be consent to use cookies and other tracking-type technologies.

It was a very good and clear presentation from Garth, and of course he was there representing DocuSign, so he also told us a little about the firm’s offering with relation to GDPR. Their digital tools around contracts can be useful in terms of recording consent and maintaining a good audit trail for key documents – all useful if anything did get challenged under the regulations. No doubt he and the firm will be delighted to speak further if that is useful – here is his LinkedIn page!

And on a related note, we also heard another very good speech from a lawyer (Dean Armstrong QC actually) on the same topic a week or so later, as he spoke at the CIPS Fellows’ Dinner. We’re hoping to have more from him after Christmas on GDPR as we move inexorably towards the May 2018 launch of the regulations.

 

First Voice

  1. Jacky York:

    Hi. Just to clarify – you don’t always need prior consent to use personal data. It depends on what it is being processed for – there are several legal basis that apply. Even when it comes to marketing – prior consent is only one option – and that tends to be for electronic comms – email mainly. And that is covered by PECR. However, there are significant changes to how you justify using that personal data if you don’t have prior consent. And, importantly, you have to inform data subjects what you are using that data for, and what is the legal basis you have decided to base that processing on.

    And, you have to inform data subjects of their rights – which have been strenghtened.

    Some people are jumping to conclusions over consent, so important to find out how the new regulations apply to your business.

    I’ve found some people are also confusing consent with the need to inform – transparency. They are not the same issue.

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.