July 16, 2018
Legalesign has a new portal so customers can meet their obligations as data controllers under GDPR; it includes facilities to provide signers with access to their data, to ensure you stop processing a person’s data, to set data retention policies, and to delete personal data. This article is about how the portal provides you with the facilities to meet the rights of data subjects, and anyone who has signed your documents with an electronic signature.
The GDPR portal has its own set of users with individual permission levels. All group creators will get access to the portal automatically. We will expand the portal to provide organisation-wide features, such as the management of users and groups, for now, however, the focus is on GDPR.
Find the portal along the top navigation:
Right to be informed
You will have a set of data policies that you will need to inform the data subject (the signer) about. Legalesign provides for this right through the ability to add text at any point of contact you have with your data subject. Any email sent to a data subject, or online web page visited by them, has the facility so you can add this information.
Right of access
When a signer contacts you for access to the data you hold about them you may be obliged to provide it. You can easily create a web page for your data subject that will list all the data you hold about them, draft and signed documents. The page is protected with a username and password, and an expiry date. You can take these data access pages offline at any time. A log is generated for any events in connection with the page.
Right to rectification
The e-signature application includes features to amend any data inputted by you. If you get a wrong email or name you can amend these immediately. But once a document is electronically signed, for obvious reasons, the details cannot be changed.
Right to erasure
Legalesign has extensive controls for document deletion. If a data subject (signer) requests you delete their data, and you need to comply, you can do this through the GDPR section of the application. A signed document may need to remain accessible for co-signers and so there are extra options for you to decide whether to keep the signed documents in those circumstances. Legalesign includes second-approver security, where any request to delete signer data needs at least two admin users to approve it.
Set data retention policies for the various documents you store on Legalesign. Policies can be set for a whole group, or if you need more fine-grained control, you can allow users to optionally set retention policies on a per-document basis. By default, as a precaution, when a document exceeds its retention policy the deletion will need a final manual approval by a user (users who are registered to the portal are alerted to this by email). But this can be changed to become automated if preferred.
Right to restrict processing
Enter any email in the stop processing list, and it will prevent any processing for that person. If anyone attempts to send a document for signature, either through the Send page or through Bulk Send, it will be be prevent and user attempting it will be alerted.
Right to data portability
All documents are available as PDFs to you and the data subject - see right to access. We are working on general data exports/copying, such as to Sharepoint. Please contact us for more information.
Right to object
We anticipate this being carried out by our customers for their data subjects. You can then use the GDPR portal to stop data processing, provide data access or erase data, as required. If someone visits Legalesign they can receive guidance on whether to contact us or the data controller through the Personal Data request form
Right related to automated decision-making
There is no automated decision making within the Legalesign platform.
We continue to work on producing GDPR information and refining its features, if you need anything please contact us.