It’s been a year now since the infamous General Data Protection Regulation (GDPR) came into place and every marketer is stressed to do an anniversary blog or webinar by the end of the week. No hiding here, that’s why I’m writing this blog on the train this morning. I did a quick research on the types of content that have been published around the “GDPR’s first year anniversary” and it is clear that the most popular articles mainly consist of themes around “looking back” and “what to expect”.
At Oneflow, we always #beatyesterday – well in this context, we want to do it better than the rest, so we won’t talk about any of those. Instead we want to talk about the juicy bits that we believe will provide the most value to our readers.
Before we start, let us summarize the findings for our precious readers. As usual, we want to make sure that whatever we do, our content will either save you time, or teach you something.
Looking back to GDPR
Remember the overall goal of the GDPR?
Don’t worry if you don’t, the European Commission issued the following statements in celebrating the first year anniversary of the GDPR as a reminder:
“The main aim of the rules has been to empower people and help them to gain more control over their personal data. This is already happening as people are starting to use their new rights and more than two-third of Europeans have heard of the regulation.”
Here are some of the selected fun facts that have happened since the GDPR:
- Kudos to the GDPR, people are becoming more aware that we own our personal data! Now a whopping 6 out of 10 people are aware of the data protection law in their country compared to 4 out of 10 people in 2015.
- Also for the people – countries beyond the EU have started implementing new regulations around data privacy and protection too.
- The European Data Protection Board has registered over 400 cross-border cases around Europe – data protection does not stop at national borders.
- The Data Protection Commission aka the GDPR watchdog has received more than 1,300 complaints.
- GDPR enforcement actions have resulted in €64.5M fines, at least according to this handy infographic.
What will happen in the next coming months
No need to listen to inofficial GDPR police and content marketers on the Internet. This is what Andrus Ansip, Vice-President for the Digital Single Market and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, from the European Commission said:
“Our key priority for months to come is to ensure proper and equal implementation in the Member States. We urge the Member States to respect the letter and the spirit of the GDPR in order to create a predictable environment and avoid unnecessary burden for stakeholders, in particular SMEs. We will also continue our close collaboration with the European Data Protection Board and national data protection authorities, as well as businesses and civil society to address the most burning questions and facilitate the implementation of the new rules.”
And here comes the juicy bits that we are all wondering about
How have other companies like yours do their bits to comply to the GDPR? More importantly, how did they do it?
To start with, e-signatures provide a fast and secure method of signing contracts in an auditable way. For those who are unfamiliar with the e-signature or e-sign world, the typical use cases and types of contracts we see businesses using Oneflow are for signing:
|Sales||HR||Procurement||IT & Legal||Finance|
|Sales proposals, quotes, purchase orders, client contracts, statement of work, licensing agreements||Employment contracts, timesheets, option program, tax forms, recruitment agreements||Vendor agreements, service renewals, reseller agreements, time and material contracts, lump sum contracts||Policy agreements, power of attorney agreements, NDAs, confidentiality agreements, claim processing documents||Investments agreements, disclosures, internal controls, loan applications, account opening and maintenance|
Besides those, with the implementation of the GDPR, many companies are reaching out to us to inquire around the following use cases which we’ll detail in the next chapter.
#1 Finding “old” personal data among all contracts with the intention to remove or delete it
The GDPR applies to all personally identifiable information. If the processing activities such as saving, sending, filing documents containing personal data involve manual steps, it cannot easily be tracked and controlled.
Many companies, specifically the HR departments, store contracts containing personal data of the employees on their computer folders or in their email inboxes – intentionally or not. When a contract expires, the personal data should be removed in compliance with the GDPR.
The removal of data, obviously, not easily achievable if the flow of that personal data within the organization and systems are not digitalized or centralized. One would have to rely on manual work to achieve this and there’s a huge risk that errors and noncompliance occur.
This is one of the biggest differences in Oneflow compared to other e-signature platforms. Besides the actual signing, we believe that the “pre-sign steps” such as getting the contract designed and negotiated, as well as the “post-sign steps” such as archiving, managing access and tracking contract events, should take place within the same platform.
Key benefits of using Oneflow as E sign platform in this scenario:
- Automatically track and map personal data flows by having all contracts created and process within a single platform
- Easily organize and search all your contracts in one place
- Control access to the contracts from a centralized system
#2 Getting an active opt-in, customer consent, and data processing agreements signed
In compliance with the GDPR, in certain circumstances, an active opt-in in regards to how and when the personal data is processed is necessary.
An example that I, as a marketer, have personally experienced recently was the potential compliance risk regarding using our customers’ personal data such as photos, name, portrait shots from video footage, etc. in connection with the publication of customer case studies on our website.
Although we have verbally agreed that they are good to go, in order to be 100% compliant with the GDPR (cover our arses), we would still need to get a consent agreement signed by the customer.
Here are the three simple steps I’ve taken to achieve this:
- I draft the content of such agreement based on best practice and get an approval from the legal team.
- I create the contract template in Oneflow with embedded empty fields such as name, checkboxes for consent types, etc. where I or the customer can fill in on their own.
- I simply apply the template and create a new contract with a mouse click to send, track, and request for e-signatures from each of the customers as needed.
The signed documents are automatically and securely stored in our contract archive which is accessible and searchable anytime.
Besides getting consents signed, many Oneflow customers use our platform to send data processing agreements to their customers and vendors with a few easy clicks.
Key benefits of using Oneflow in this scenario:
- Contract templates are centrally managed and can be easily reused by staff within the organization
- Content can be split up in customizable and non-customizable sections so the contract owner has full control over the outgoing contracts
- Customer can review e-sign the contract on any device because the contract created in Oneflow is responsive
- Obviously, e-signing with Oneflow is fast and not only legally binding, but also independently verifiable
#3 Managing and tracking user access to contracts containing personal data
With the GDPR, controlling who has access to employee and user data is key to complying with the regulation.
The three pillars of information security in terms of data privacy are integrity, availability, and confidentiality.
- Integrity relates to ensuring the data is not edited or modified in an unauthorized way once stored
- Availability relates to accidental loss, but it also includes the requirement for the information to be available whenever it is needed and in the required form.
- Confidentiality is concerned with setting limits on who may have access to specific information, based on their need to know.
It is established that contracts often contain personal data. Unfortunately, when processing such documents, many companies are still relying on manual handling that is prone to human errors.
This includes emailing contracts attached in emails back and forth, creating and managing contracts in analog and semi-analog formats such as Word/PDF/paper, or saving a different contract version every time there is a change to the contract on your local computer.
There is no way telling or controlling who may have access to the personal data – contributing to a potential breach in confidentiality.
Oneflow offers a powerful, yet easy to use, advanced roles and permission system that allows users to literally micromanage user access to contracts.
Key benefits of using Oneflow in this scenario:
- Ensure that personal data can only be accessed by the right people within your company
- Eliminate prone-to-error processing activities such as “attach to email” and “save to disk” because such activities can be managed and tracked in Oneflow
- Easily control, grant, or remove your employee’s access to certain data to reflect the change in the employee’s role, the status of employment, etc.
Want to up your GDPR game?
Complying to the GDPR is a continuous process. If you are interested to know more about the above use cases and how other companies use Oneflow to up their GDPR game, please don’t hesitate to contact us.