Consent and

the GDPR:
An Essential
Guide
Everyone is talking about the General Data
Protection Regulation, and what it means
for business. Widely reported to be one of
the most heavily-lobbied pieces of European
Union legislation ever, the GDPR will go into
effect next year introducing a number of
compliance challenges that businesses will
need to overcome.

This paper discusses some of the challenges

that the GDPR will introduce, with a particular
focus on its requirements for obtaining
verifiable, unambiguous consent. It explores
what businesses will need to do to obtain valid
consents from individuals, and how third-party
tools can help address these requirements.

What is the GDPR?

In May next year, the European Union’s comprehensive new
data protection law – the General Data Protection Regulation (or
“GDPR”) – will come into effect, being the most significant legal
development in EU data protection in over 20 years.

The GDPR is a root and branch reform of Europe’s existing

data protection framework, the EU Data Protection Directive
(Directive 95/46/EC). While many of the core principles remain
the same, including the need for fairness, transparency,
lawfulness of processing, and data security, the GDPR places
a significant new emphasis on accountability. In other words,
the GDPR expects businesses not only to comply with EU data
protection requirements, but also to be able to demonstrate
their compliance.

The need for accountability is highlighted at many different

points throughout the GDPR, including through requirements
for auditable consents, ‘Privacy by Design’ and ‘Data Protection
Impact Assessment’ measures, data security breach reporting,
and, in certain cases, Data Protection Officer appointments for
monitoring business compliance with the GDPR and reporting
data protection issues to the highest levels of management.
 WHITEPAPER

Businesses that do not rise to this compliance challenge do so

at their peril. The GDPR contains significant penalties for non-
compliance, including potential fines from regulatory authorities
of up to four per cent (4%) of annual worldwide turnover.
Regulators also get new powers to audit businesses to assess
In May next year, the
their compliance, and the GDPR raises the prospect of class-action
style lawsuits brought by consumer advocacy groups on behalf of
European Union’s
impacted consumers.
comprehensive new
data protection law
More importantly, though, is that businesses who do not fully
engage with the GDPR will miss the opportunity to build trust and

– the General Data

better relationships with their customers. In an age of Big Data,
24/7 connectedness and ever-present surveillance, customers’
demands for data privacy are greater than ever before. The most
enlightened businesses will recognise this and grasp the GDPR
compliance nettle with vigilance.
Protection Regulation
The impacts of the GDPR
(or “GDPR”) – will come
on businesses into effect, being the
There has been a lot of press about the GDPR, both inside and
outside of Europe. In part, this is undoubtedly attributable to the most significant legal
eye-watering penalties that the GDPR introduces. There is another
reason though: the territorial reach of the GDPR. development in EU data
The current EU data protection framework under the EU Data
Protection Directive applies to businesses only if they are either
protection in more than
20 years.
established in the EU (i.e. have a subsidiary or a branch office
in the EU) or use data processing equipment in the EU (i.e. EU-
based servers).

The GDPR takes a different approach though, significantly

expanding the territorial reach of EU data protection requirements.
Like the current EU Data Protection Directive, it applies to any
business that is established in Europe. However, in addition, it
applies to any business worldwide which: be required to comply with the GDPR prior to Brexit. Even when
the UK leaves the EU, any UK business which continues to offer
• offers goods or services (including free goods and services)
goods or services into EU markets, or which otherwise monitors
to individuals in the European Union (effectively any business
the behaviour of individuals in the European Union, will need to
that targets EU countries as a market); or
comply with the GDPR. The UK government has also announced
• monitors the behaviour of individuals in the European that it will introduce its own GDPR-style legislation into UK law too,
Union (for example, through the use of ad tech or analytics meaning that many of the GDPR’s requirements will be replicated
technologies). into UK law in any event.

The net effect of this is that a number of global businesses that
were not previously within the scope of European data protection
rules will be caught by the GDPR and expected to comply with its
requirements from May 2018.
This includes businesses established in the UK. While the UK has
voted to leave the European Union, it will not do so before the
GDPR comes into effect. This means that all UK businesses will
Ultimately, wherever you are based, if you are looking to do
business in the EU then GDPR compliance will be essential.
The changes to consent
One of the most talked about aspects of the GDPR is the changes
it will introduce to the requirements for obtaining valid consent.
Under the current Data Protection Directive, an individual’s

consent must be “freely given, specific and informed”. The GDPR
amends this requirement to add that consent must now also be
“unambiguous”. Within the introductory recitals to the GDPR, it
explains that “consent should be given by a clear affirmative act …
such as by a written statement, including by electronic means, or
an oral statement… Silence, pre-ticked boxes or inactivity should
not therefore constitute consent” (Recital 32).
While consent is not always required to collect and use an
individual’s personal information, in many cases it will be. This
may be the case, for example, when seeking to use an individual’s
sensitive personal information (such as information about
their health), to send e-marketing, or when seeking to share
personal information with independent third parties for their own
commercial purposes. In these cases, it is apparent that consent
will often be required and must be unambiguous.
Consistent with its emphasis on accountability, getting
unambiguous consent alone is not sufficient. The GDPR also
requires that consent must also be verifiable (Art. 7(1)) – in other
words, the business must be able to prove that it obtained the
individual’s consent. The net effect of this is to require businesses
to maintain consent records that can be checked to verify (i) that
the individual has consented, (ii) what they consented to, and (iii)
when they consented.
Finally, a consent would not be a true consent if individuals were
unable to change their minds and withdraw it at a later date. The
GDPR recognises this, and notes that an individual “shall have
the right to withdraw his or her consent at any time… It shall be
as easy to withdraw consent as to give consent” (Art 7(4)). If an
individual wishes to withdraw consent, he or she must be able to
and the business must cease any processing activities it conducted
based on that consent.
Fundamentally, consent is about putting your customers in control;
One of the most talked
about aspects of the
GDPR is the changes
it will introduce to
the requirements for
obtaining valid consent.
WHITEPAPER
enabling them to make choices about how and why their personal
information will be used. Customers who feel in control of the data
a business uses about them are likely to have higher levels of trust
in that business – in turn, likely encouraging repeat customers
and growth into use of other products and services that the
business offers.
GDPR consent use cases
Where do businesses face consent challenges? These commonly
arise in a few different scenarios:
• Marketing / Sales – European (and other worldwide) anti-
spam laws impose consent requirements on businesses when
they collect and share individuals’ personal information for
e-marketing purposes.
• HR – While consent is not required for many uses of
employee data, consent issues often still arise in many
HR contexts. For example, when collecting consent from
applicants to process the information they have submitted
when applying for a role, or when collecting sensitive data
from employees for the provision of employee benefits (such
as health insurance).
• Healthcare – Businesses and healthcare organisations that
collect personal information from individuals for the purpose
of medical studies and clinical trials are typically required to
obtain informed consent from their participants.
• Online – Europe has strict rules governing the use of cookies
and similar tracking technologies and, in general, individuals
must consent to the use of these technologies.
By no means exhaustive, the above are just a few example
scenarios where the need to obtain robust, verifiable consents arise.
Keeping verifiable records for
vendor procurement
A further common challenge is in procurement. The GDPR
mandates that businesses must include certain data protection
terms in their contracts with vendors. This will require most
organisations to undergo a significant re-procurement exercise
with legacy vendors to move them across to new, GDPR-
compliant, data protection terms, while at the same time ensuring
their future vendors are also signed up to GDPR-compliant terms.
This is an additional, important scenario where businesses need
to capture verifiable records for their accountability purposes – i.e.
that their vendors have signed up to GDPR-compliant terms.
The challenge for many organisations is that their back-end
systems typically do not record the level of information necessary
 WHITEPAPER

to verify that a valid, unambiguous consent or contractual

acceptance was obtained. Faced with this challenge, they then
need to choose between investing considerable time and cost
to re-engineer their systems – or they can look to a third-party
solution that will do this for them. The challenge for many
How digital technology can be part organisations is that
of a consent solution
The regulation provides a unique forcing function for businesses
their back-end systems
to not only upgrade from outdated processes, but also to improve
efficiency and customer satisfaction. Digital tools can enhance
typically do not record
an organisation’s ability to comply with the GDPR consent
requirements by allowing them to obtain affirmative opt-in where
the level of information
required and to display relevant notices in real-time, while personal
data is being collected. Electronic systems can offer this in a user-
necessary to verify that
friendly manner and allow businesses to report on the activity.

By ensuring the right systems are in place to manage the consent

a valid, unambiguous
process, it can be made a quick, effortless process for all involved.
Customers can opt-in from their mobile devices wherever they are,
consent or contractual
and businesses have a digital audit trail to demonstrate they’ve
taken the appropriate measures in line with the GDPR. Customers
acceptance was
are reassured that the vendor is compliant as a business, and they
can provide consent without having to sacrifice a simple, user-
obtained.
friendly experience to do so.

Electronic signature (or “e-signature”) is one such technology

that allows organisations to demonstrate and manage consent.
E-signature solutions can generate the relevant consent forms,
facilitate quick and easy data capture, and offer the ability to
attach supplementary documents that give consent to specific
processing activities.
Once consent is given, each transaction generates its own audit
trail and provides a specific, documented proof that permission to
use the data has been given. All the information associated with
the data, such as when the consent was issued and what was
stated in relation to how it can be used, will be accounted for.
Existing systems, such as a CRM, can be automatically updated
with this new information.
Beyond adherence to the GDPR, this landmark offers an
opportunity to embark on digital transformation that improves the
customer experience. Essentially, regulatory and digital success
will fall on how businesses marry their process improvements with
the selection of third-parties, which can facilitate the requirements
businesses can’t themselves support.
What to look for in a solution to
solve consent challenges
When looking for a solution to solve consent challenges, it is
important to review and analyse how third-parties approach a
broad range of considerations under the GDPR. Data protection
is the foundation of the regulation, so the transition requires the
help of technology partners who prioritise the privacy and security
of their customers’ data, meeting European and international
security standards.
The highest level of certification available, ISO 27001:2013, assures
global information security and should apply across data centres,
digital platforms and operations. Providers should also be able to
offer confirmation of information security controls, such as SOC
1 Type 2, which require a third-party service auditor to review
and examine the organisation’s operations over a set period
of time. SOC 2 Type 2 is another information security control
which validates that the provider’s technology meets the criteria
for security, availability and confidentiality, is protected against
unauthorised physical and logical access, and is available for
operation and use.
Trust doesn’t end with the transaction being complete, so the
technology employed ought to provide copies of the transaction to
all parties. A comprehensive digital audit trail enables stakeholders
to see exactly who did what, when and where, which will mitigate
risk for your business by allowing it to provide a record of consent
 WHITEPAPER

to comply with the GDPR.

About Fieldfisher
As the GDPR applies to companies with global operations, a
Fieldfisher is a European law firm with market leading practices
reputable solution will enable businesses to automate and
in many of the world’s most dynamic sectors and a particular
manage entire digital workflows while staying compliant with local
focus on technology, finance & financial services, energy & natural
and industry standards. DocuSign, for example, offers all of the
resources, life sciences and media. We have more than 1000
signature types defined under the eIDAS regulation, including EU
Advanced and EU Qualified cloud signatures. To that extent, it is people working across 16 offices providing highly commercial
advisable the technology provider has offices and data centres advice based on an in-depth understanding of our clients’ needs.
across the world, to meet global needs. We operate across our offices in Amsterdam, Beijing, Birmingham,
Bologna, Brussels, Düsseldorf, Hamburg, London, Manchester,
Each business has unique consent requirements, so the solution
Munich, Milan, Paris, Rome, Shanghai, Turin, Venice and Silicon
should have the flexibility to plug into a company’s current
Valley. For more information, visit www.fieldfisher.com.
environment, by using pre-built integrations with existing software,
or custom connections. In the latter case, highly-configurable REST
About DocuSign
and SOAP APIs are necessary to capture, store and manage data.
As the pioneer and global standard for Digital Transaction
Finally, the ideal solution will deliver all of this with a slick user
Management (DTM) and eSignature, DocuSign® is changing
experience. Robust workflows with easy-to-use document
how business gets done by empowering more than 300,000
templates will automate the process for businesses sending
companies and more than 200 million users in 188 countries to
consent forms. For end users, the solution should have the
send, sign and manage agreements digitally. DocuSign eliminates
ability to capture data and a signature simultaneously, anytime,
anywhere from any device, so consent can be provided quickly printing, faxing, scanning and overnighting paper documents to
and without hassle. transact business online quickly, easily and securely—anytime,
anywhere, on any device—with trust and confidence. DocuSign
Conclusion enables individuals and organisations of every size, industry and
geography to make every agreement digital to keep life and
The GDPR is unquestionably a transformative milestone in
European data protection law-making whose reach will be felt business moving forward.
far and wide. While it presents many compliance challenges, the To find out how DocuSign is preparing for the GDPR and how
GDPR also presents significant opportunities for forward-thinking e-signatures can help businesses obtain consent, visit
organisations: opportunities to enhance organisational data www.docusign.co.uk/learn-gdpr-basics or contact
hygiene; opportunities to embed and benefit from strong data
+44 203 417 4800.
governance mechanisms; and, most importantly, opportunities to
grow consumer trust and relationships.

Nevertheless, the scope of the GDPR’s compliance requirements

may at times seem daunting. To that end, any organisation looking
to implement the GDPR at scale is well-advised to consider the
array of digital technologies that can aid its compliance – from
digital toolkits that assist with data mapping and privacy impact
assessments, to cloud-based platforms that assist with ongoing
GDPR compliance management.

Accountability is at the very heart of the GDPR, and having robust

measures to capture, record and evidence consent, where legally
required, will be vital. This paper has outlined how DocuSign’s
technologies can help organisations to rise to this challenge.

Ultimately, the GDPR aims to reform European data protection

laws so that they are fit to regulate 21st century technologies. In
turn, organisations now need to use technology solutions that will
help them be fit 21st century data protection compliance.
 About DocuSign
DocuSign® is changing how business gets done by empowering anyone to send, sign and manage documents anytime, anywhere,
on any device with trust and confidence. DocuSign and Go to keep life and business moving forward.

For U.S. inquiries: toll free 866.219.4318 | DocuSign.com

For EMEA inquiries: phone +44 203 714 4800 | email: emea@docusign.com | docusign.co.uk
For APAC inquiries: phone +61 2 9392 1998 | email: apac@docusign.com | docusign.com.au
Follow Us:
Copyright © 2003-2017 DocuSign, Inc. All rights reserved. DocuSign, the DocuSign logo, “The Global Standard for Digital Transaction Management”,

“Close it in the Cloud”, SecureFields, Stick-eTabs, PowerForms, “The fastest way to get a signature”, The No-Paper logo, Smart Envelopes, SmartNav, “DocuSign It!”, “The World

Works Better with DocuSign” and ForceFields are trademarks or registered trademarks of DocuSign, Inc. in the United States and or other countries. All other trademarks and

registered trademarks are the property of their respective holders.