This post will help you think through important considerations to ensure your eSignature solution and vendor help you handle sensitive data properly. You can also download our Ultimate Guide to Electronic Signatures for a deep dive into everything you need to know about eSigning.
What are examples of sensitive data that might be electronically signed?
- Data concerning health and personal information (healthcare, finance, HR)
- Genetic data (medical, life insurance)
- Trade union membership (HR)
- Political affiliation and opinions (government, public sector)
- Data concerning a person’s sexual orientation (healthcare, finance)
- Biometric data (applicable when using biometric signing methods)
Companies in the healthcare, legal, banking, insurance, and government sectors process sensitive information daily. Document turnover happens nonstop, and every piece of personal and/or confidential information must be accounted for. Plus, not handling sensitive data carefully can result in severe penalties. For example, Europe’s comprehensive GDPR regulations went into effect in 2018, and well-publicized corporate data breaches have set companies back tremendously over the last decade.
Processing personal data requires special attention and diligence. Companies must take care to follow their industry guidelines when handling digital information. That goes for all types of digital document work, and eSigning is no exception.
5 Considerations for eSigning with Sensitive Data
Here are 5 things to keep in mind as you evaluate eSigning solutions and whether they will help you ensure sensitive information is managed properly.1) Signer Identification
When sending a document out for an electronic signature, make sure access is only granted to the person whose signature you are requesting. Identify the sole signer(s) required for each document. Once the recipient has been determined, you can use secure online tools that offer identification services to keep the document in a specific person’s hands. Such tools can be something like a national identity card, an identity scheme or a service that provides identification abilities.2) Consent Management
Certain categories of personal data may only be processed after receiving the explicit consent of the data subject. In these cases, make sure to collect the necessary opt-ins from your signers. Some eSigning solutions offer consent opt-in management tools, which allow data collectors to obtain consent from their recipients.Additionally, you will need to be transparent about your processing activities and inform your data subjects in a proper manner. Choosing an eSigning solution that presents this information in a pop-up format before your recipients sign their documents can automate this process.
3) Data Retention Periods
Retention periods (how long personal data is stored) have become a hot topic in information security. When processing many documents with electronic signatures, it is very important to account for how long these documents are being stored and where they are archived afterwards.Probably the most impactful decision to make is whether to choose a cloud or an on-premise solution for data storage. Cloud solutions will either store signed documents in the cloud or will offer API integrations that make it possible to connect the digital signature software with a DMS or other relevant software packages. If configuring API integrations, be sure to delete the signed documents from your provider’s servers as soon as signing is complete.
4) eSigning With Encryption
Encryption ensures the confidentiality of a document’s content and therefore is perhaps the most adequate way to ensure safety of personal data. With encryption, only the authorized parties will have access to information sent their way. When encrypting information, it is important to consider the data at rest and transit as well.5) National Data Residency Laws & Legislation
It is crucial not to lose sight of the national legislation in place around data storage and transfer. Countries may issue specific legislation around particular types of data. For instance, France has taken extensive regulatory steps related to the processing of health data. Be aware of compliance regulations around transferring data between countries.| Nitro's eSign Security Measures | ||
| Identification of the Signer | ||
| Identification services |  |
Identify the signer before giving access to documents by integrating our Identity Services into your eSignature environment |
| Data Protection by Design | ||
| Opt-in button | |
Include opt-in buttons to obtain necessary consents |
| Consent management | |
Configure your own consent management policy |
| Privacy policy | |
Include your tailor-made privacy policies within the signing process |
| Retention Periods | ||
| API integrations | |
Configure our APIs as needed to ensure signed documents are securely stored in your internal systems |
| Auto deletion | |
Install auto-deletion to make sure documents aren't stored after they were signed |
| Encryption | ||
| Encryption | |
Documents (and the data included) are encrypted at rest and in transit |
