More businesses than ever before have made the switch from traditional to electronic signatures, but this transition raises practical concerns. If your company handles sensitive data, how can you ensure you are taking every security precaution with electronic documents and eSigning?
This post will help you think through important considerations to ensure your eSignature solution and vendor help you handle sensitive data properly. You can also download our Ultimate Guide to Electronic Signatures for a deep dive into everything you need to know about eSigning.
What are examples of sensitive data that might be electronically signed?
- Data concerning health and personal information (healthcare, finance, HR)
- Genetic data (medical, life insurance)
- Trade union membership (HR)
- Political affiliation and opinions (government, public sector)
- Data concerning a person’s sexual orientation (healthcare, finance)
- Biometric data (applicable when using biometric signing methods)
Automatically generated insurance policies, digitally signed real estate contracts, digital patient onboarding at hospitals - all of these are real life examples of how organizations are modernizing their paper-based processes with eSignatures. But industries that process personalized and sensitive data at a high volume must be very careful about how they handle this information.
Companies in the healthcare, legal, banking, insurance and government sectors process sensitive information daily. Document turnover happens nonstop, and every piece of personal and/or confidential information must be accounted for. Plus, not handling sensitive data carefully can result in severe penalties. For example, Europe’s comprehensive GDPR regulations went into effect in 2018, and well-publicized corporate data breaches have set companies back tremendously over the last decade.
Processing personal data requires special attention and diligence. Companies must take care to follow their industry guidelines when handling digital information. That goes for all types of digital document work, and eSigning is no exception.
5 Considerations for eSigning with Sensitive Data
Here are 5 things to keep in mind as you evaluate eSigning solutions and whether they will help you ensure sensitive information is managed properly.
1) Signer Identification
When sending a document out for an electronic signature, make sure access is only granted to the person whose signature you are requesting. Identify the sole signer(s) required for each document. Once the recipient has been determined, you can use secure online tools that offer identification services to keep the document in a specific person’s hands. Such tools can be something like a national identity card, an identity scheme or a service that provides identification abilities.
2) Consent Management
Certain categories of personal data may only be processed after receiving the explicit consent of the data subject. In these cases, make sure to collect the necessary opt-ins from your signers. Some eSigning solutions offer consent opt-in management tools, which allow data collectors to obtain consent from their recipients.
Additionally, you will need to be transparent about your processing activities and inform your data subjects in a proper manner. Choosing an eSigning solution that presents this information in a pop-up format before your recipients sign their documents can automate this process.
3) Data Retention Periods
Retention periods (how long personal data is stored) have become a hot topic in information security. When processing many documents with electronic signatures, it is very important to account for how long these documents are being stored and where they are archived afterwards.
Probably the most impactful decision to make is whether to choose a cloud or an on-premise solution for data storage. Cloud solutions will either store signed documents in the cloud or will offer API integrations that make it possible to connect the digital signature software with a DMS or other relevant software packages. If configuring API integrations, be sure to delete the signed documents from your provider’s servers as soon as signing is complete.
4) eSigning With Encryption
Encryption ensures the confidentiality of a document’s content and therefore is perhaps the most adequate way to ensure safety of personal data. With encryption, only the authorized parties will have access to information sent their way. When encrypting information, it is important to consider the data at rest and transit as well.
5) National Data Residency Laws & Legislation
It is crucial not to lose sight of the national legislation in place around data storage and transfer. Countries may issue specific legislation around particular types of data. For instance, France has taken extensive regulatory steps related to the processing of health data. Be aware of compliance regulations around transferring data between countries.
| Nitro's eSign Security Measures | ||
| Identification of the Signer | ||
| Identification services | 
| Identify the signer before giving access to documents by integrating our Identity Services into your eSignature environment |
| Data Protection by Design | ||
| Opt-in button |
| Include opt-in buttons to obtain necessary consents |
| Consent management |
| Configure your own consent management policy |
| Privacy policy |
| Include your tailor-made privacy policies within the signing process |
| Retention Periods | ||
| API integrations |
| Configure our APIs as needed to ensure signed documents are securely stored in your internal systems |
| Auto deletion |
| Install auto-deletion to make sure documents aren't stored after they were signed |
| Encryption | ||
| Encryption |
| Documents (and the data included) are encrypted at rest and in transit |
| Cloud Services and Hosting Providers | ||
| Hosting |
| Hosted on Microsoft Azure, implementing numerous technical and organizational measures (ISO 27001 certified) to ensure adequate security. More information on Microsoft's Trust Center. |
| HDS certification |
| Microsoft Azure is HDS certified |
| On-premise |
| Microsoft Azure is HDS certified |
Ensure Sensitive Data Compliance with Nitro Sign
Nitro has one of the most secure and compliant eSigning solutions on the market. Nitro Sign Premium offers a superior user experience and efficiency, without compromising on security and data management.
Our platform offers industry and country-specific certifications as well as global legal compliance as recently verified by DLA Piper.
If you have specific requirements or security concerns about your eSignature solution, or would like to see how Nitro Sign makes compliance effortless, reach out to schedule a demo.