Share this content

E-signatures via email - GDPR

How does GDPR affect then use of emailed e-signature requests?

Didn't find your answer?

We are looking for a secure alternative solution to IRIS OpenSpace for requesting client approvals/signatures. We are dismayed with their pricing and customer service.

There are a number of applications available to obtain client signatures via email such as docusign, hellosign etc. As far as I understand, these rely on you uploading a document into the application which is then sent via encrypted email for signing.

We don’t want to go down the route of adding passwords to every document we send because it is not efficient. So is the fact that the application encrypts the email sufficient from a GDPR perspective? The document itself is not password protected, so if the email account has been hacked, the document could be read by the hacker.

Iris OpenSpace is more of a document sharing facility where the client can login and access documents or approve within the portal. On the face of it, that seems more secure, but actually if that client’s email account has been hacked and you send an email to tell them to login to OpenSpace and view/approve a document, I assume all the hacker has to do is reset the login password for OpenSpace and receive the password reset link via the email account, and Hey Presto!

So on the face of it, both options are not 100% secure.

I see many other accountants commenting about using the various e-sign offerings. I’m just confused how GDPR impacts on it.


Replies (1)

Please login or register to join the discussion.

By paul.benny
14th Oct 2020 14:29

It seems to me that you're overthinking this.

You have at least two lawful bases for processing your clients' data - you have a contract with them and they have consented to your processing.

A key principle of GDPR is that you process personal data securely. Using a reputable third party to obtain client signatures seems entirely reasonable. You may need to amend your data protection policies to include this.

You express concern about email being hacked. You cannot be held responsible if your client's email is hacked - it's not really any different from someone breaking into their premises and stealing mail.

Thanks (1)
Share this content