If there is one global trend that is playing a significant role in the way companies have been forced to do business in the past few years, it is the enactment of privacy legislation such as GDPR, which came into effect in 2018 and applies to the data of citizens of the EU, no matter where in the world it is processed and POPIA in the South African context.

If there is one global trend that is playing a significant role in the way companies have been forced to do business in the past few years, it is the enactment of privacy legislation such as GDPR, which came into effect in 2018 and applies to the data of citizens of the EU, no matter where in the world it is processed and POPIA in the South African context.

The reason why these pieces of legislation have such a large impact, is because the apply to all businesses, whether you have one customer or many. They also force businesses to take a hard look at how they operate and exactly what they do with the Personal Information of their customers. Businesses have been forced to look for technologies and tools to help them comply with these pieces of legislation and in such an exercise it will soon become apparent that there is no single tool that can assist with the entire compliance process.

In order to do a proper analysis of tools, one must understand the principles laid down by legislation. Since POPIA and GDPR will apply to many South African companies, this White Paper will first do a high-level comparison between the principles of the two pieces of legislation to point out the similarities and then discuss how digital signing and the use of the SigningHub tool can assist with POPIA and GDPR compliance.

The table below includes the POPIA principles and their equivalents under GDPR to point out the similarities in terms of these pieces of legislation.

As you can see from the above list, the principles of the two pieces of legislation are very similar, with POPIA having eight and GDPR, six. While the descriptions in the pieces of legislation may be somewhat different and while the scope of GDPR is wider than that of POPIA in certain instances these principles are fairly similar in what they seek to achieve.

This document does not go into full detail of each of the principles but will focus on those where digital signatures and the SigningHub application can play a definite role.

Under the Information Quality principle, POPIA requires the Responsible Party (this is the party who decides what to do with the Personal Information) to take reasonable steps to ensure that the Personal Information is complete, accurate, not misleading and up to date.

Under the Accuracy principle, GDPR requires the Controller (again, this the party who decides what to do with the Personal Data) to take reasonable steps to ensure the accuracy of the Personal Data, to ensure that the source and status of the data is clear, consider any challenges to the accuracy of the information and to update the information.

These two similar principles provide the first instance where documents signed with digital signatures provide assistance with compliance. The application of a digital signature or an advanced electronic signature requires an identity verification process of the person applying the signature.

This process requires that some form of identity document, such an identity card or passport be used to identify the individual to whom the signature is issued. In certain cases, a face-to-face identification process is even required.

This provides certainty as to the identity of the user of the digital signature. It is also called non-repudiation in that the person who uses the signature cannot deny their usage of it. So, the first benefit of digital signatures in terms of POPIA and GDPR is that it clearly defines who the data subject is.

Figure 1 - a digitally signed document that can be relied on for purposes of POPIA and GDPR.

Figure 2 – a digitally signed document that has been tampered with will indicate that the data Integrity is not intact anymore and cannot be relied on for purposes of POPIA and GDPR.

The second POPIA principle where digitally signed documents can be used to assist with compliance is Security Safeguards. Under this principle organisations are required to secure the integrity and confidentiality of Personal Information.

The equivalent GDPR principle is Integrity and confidentiality and requires that Personal Data is processed securely by appropriate technical and organisational measures.

One can immediately draw the parallels to digital signatures, in that a digitally signed document provides more security than one that is not digitally signed. As per the above example, it is easy to see when a document has been tampered with and if that document contains Personal Information, the digital signature provides the security that one needs to know whether the document can be trusted or not.

Finally, not necessarily defined as a principle, but as a fundamental concept in most data privacy legislation, we have the concept of consent, and more specifically express consent. This concept requires that in the absence of another reasonable ground for the processing of Personal Information, the Data Subject (the person whose Personal Information is being processed) must provide express consent for such processing.

In POPIA specifically, consent is one of the most important facets of the Act and it requires that informed consent must be given freely and willingly, and any Responsible Party will have a duty to be able to demonstrate that such consent was given.

This is probably the best use case for digital signatures under POPIA, because, as per the examples above, one can create consent forms that require a digital signature. The digital signature of an identified person on a consent form, will prove several things, namely:

If one could show the Information Regulator (the agency in South Africa responsible for POPIA compliance and enforcement) or a data subject that disputes that they provided consent that consent was obtained in this fashion, it will serve as almost irrefutable evidence of the request for and provision of consent.

Next we will look at the specific role that the SigningHub application can play in POPIA and GDPR compliance.

Through using the SigningHub application a very comprehensive audit trail is created for every document that is signed. It tracks the document from first upload and thereafter logs and independently timestamps every single action taken on that document until final download, which provides a great source of evidence for proving data integrity and accuracy.

All these security measures will ensure that where SigningHub is used to sing documents, these documents will meet the security safeguards or data security requirements of POPIA and GDPR, as these standards meet the current requirements for generally accepted information security protocols as required by both pieces of legislation.

A third POPIA and equivalent GDPR principle where SigningHub can aid with compliance is Further Processing Limitation or Purpose Limitation. In terms of these principles Personal Information may only be processed for the declared purpose and any further processing must be in line with that initial reason. The problem that many organisations will face is that once a document has been shared by its author, they have no control over what happens to that document or who will share it further on.

Through its workflow process, SigningHub can control who can access a document and what they can do with that document. It has the ability to prevent copying, downloading or printing by parties that should not have those rights and additionally because the workflow is controlled, only the relevant parties will be able to access the document, until it is finally saved in the a document management system where other rights management and data loss prevention tools can take over.

The above provides an example of some of the features and capabilities of digital signatures and the SigningHub application and how they can assist organisations in their POPIA and GDPR compliance processes. As stated in the introduction to this document there is no single tool that can ensure complete POPIA and GDPR compliance and SigningHub is just one tool in the arsenal of an organisation that can assist with compliance.