Share this content

Are E Signature solutions GDPR compliant?

Didn't find your answer?

Search AccountingWEB

I’ve been given the task of finding an e signature solution for our practice for confidential documents. We do use Docusoft which has its own portal that we trialled for a time, but the customers found the concept unworkable supposedly. This was before I joined but I’m being told that having to sign in was a major gripe for them. We also use IRIS and I’ve quickly looked at IRIS Openspace but again, id and pw needed client side.

So, I have been looking at SignRequest and HelloSign amongst other solutions. My main concern though is the security, GDPR etc. If the client just receives a link for the document online then that surely can't comply with GDPR, can it? Also, SignRequest send you a copy of the signed document back, which is easier, but again is it compliant with GDPR? I’m starting to think that to be compliant we will need something which uses an id and pw for the client……or am I being overly cautious?

Has anybody else thought about the security implications of e signatures and what conclusions did you come to?



Please login or register to join the discussion.

By Locutus
06th Dec 2018 12:05

JonoC wrote:

If the client just receives a link for the document online then that surely can't comply with GDPR, can it?

I use Iris OpenSpace and assume others work in a similar way. The documents for signature are held on a secure encrypted portal, which requires a password to access.

Without the password for the portal, you cannot access the document. I would have thought that is GDPR compliant.

Thanks (1)
By Maslins
06th Dec 2018 12:15

I don't think it's as clear cut as the latter solutions don't comply with GDPR. However, I do agree they are a bit less secure, as if someone else intercepts the email, they can do as they please with the document (whereas if it's behind password protected portal they'd also need to know the login for that).

However I sympathise with your opening blurb about grumbling clients. Increased security almost always comes with decreased convenience. I don't think you can have both sadly.

So for us, the next question is do you/we:
a) go with the less secure but convenient option, annoying clients who take data security seriously.
b) go with the more secure but less convenient option, annoying clients who don't want a dozen logins.
c) have two options, the client chooses...being annoying for you as a firm(!).

I'm still torn on this...but take some comfort from the fact that by me just thinking about it I imagine we're a step ahead of many firms!

Thanks (1)
to Maslins
06th Dec 2018 14:14

Maslins wrote:

I'm still torn on this...

How can you be torn? You've just stated that (having assessed the risks as required by GDPR) you have determined that one option is not adequately secure. You therefore, under the terms of GDPR, have a duty to avoid using that method, since you have an alternative that is secure. The clients' desires have nothing to do with your obligations under the GDPR.

Thanks (0)
By Maslins
to Tim Vane
06th Dec 2018 15:13

I didn't say "not adequately secure". I said "a bit less secure" (yes, not a technically sophisticated answer, but I'm not an IT/data security expert). I'm also not a GDPR expert...but I don't think it's in breach of GDPR.

So I do think (rightly or wrongly) it's a case of gaining a modest understanding, weighing up the pros and cons and making a decision accordingly.

Thanks (0)
13th Dec 2018 10:26

All clients start off grumbling about portal but just keep persevering - after a bit one by one decide to use it. We still send paper out and ask for approval by paper or portal.

Last year one of "paper" clients used the portal - I was amazzed but bullying clients wont work. It does not work for Terresa May and it wont put the practice into a good light.

We started using portals over 5 years agao and still not all clients want to use it. As an aside many can not get access from "Work" computers because of firewall issues

Thanks (0)
13th Dec 2018 10:50

Security and privacy are different things - though in practice tend to be 'close-coupled'.

GDPR 'merely' requires that you only take the data necessary to operate the contractual relationship with the client and do not release it, even inadvertantly, to any third party either not statutorily/contractually entitled, and/or without the client's express consent.[Art 5&6]

Security [and 'good practice operational processes'] contributes to the "not release it, even inadvertantly" bit.

Strictly, also, if any operation on the clients data, such as automatically sending out emails, is the result of an automated process then you must get the client's specific consent to automatically process their data for that purpose [Art.22]

By and large the requirements do drop out of a commonsense reading of the GDPR itself. Many of my colleagues, surprisingly, have depended on seminars etc. and not actually read the Regulation [in English at ] which I find very strange. And for a 'law' its a surprisingly easy read!

Thanks (0)
Share this content