Digital signatures with SigningHub

The role of SigningHub and digital signatures in POPIA and GDPR compliance

If there is one global trend that is playing a significant role in the way companies have been forced to do business in the past few years, it is the enactment of privacy legislation such as GDPR, which came into effect in 2018 and applies to the data of citizens of the EU, no matter where in the world it is processed and POPIA in the South African context.

The reason why these pieces of legislation have such a large impact, is because the apply to all businesses, whether you have one customer or many. They also force businesses to take a hard look at how they operate and exactly what they do with the Personal Information of their customers.  Businesses have been forced to look for technologies and tools to help them comply with these pieces of legislation and in such an exercise it will soon become apparent that there is no single tool that can assist with the entire compliance process.

In order to do a proper analysis of tools, one must understand the principles laid down by legislation. Since POPIA and GDPR will apply to many South African companies, this White Paper will first do a high-level comparison between the principles of the two pieces of legislation to point out the similarities and then discuss how digital signing and the use of the SigningHub tool can assist with POPIA and GDPR compliance.

The table below includes the POPIA principles and their equivalents under GDPR to point out the similarities in terms of these pieces of legislation.

POPIA

GDPR

Accountability

Accountability

Processing Limitation

Data Minimisation

Purpose Specification

Purpose Limitation

Further Processing Limitation

Purpose Limitation

Information Quality

Accuracy

Openness

Fair, Lawful and Transparent Processing

Security Safeguards

Integrity and confidentiality

Data Subject Participation

Fair, Lawful and Transparent Processing

Table 1. Comparison between POPIA and GDPR Principles

As you can see from the above list, the principles of the two pieces of legislation are very similar, with POPIA having eight and GDPR, six. While the descriptions in the pieces of legislation may be somewhat different and while the scope of GDPR is wider than that of POPIA in certain instances these principles are fairly similar in what they seek to achieve.

This document does not go into full detail of each of the principles but will focus on those where digital signatures and the SigningHub application can play a definite role.

The role of digital signature in POPIA / GDPR compliance

Under the Information Quality principle, POPIA requires the Responsible Party (this is the party who decides what to do with the Personal Information) to take reasonable steps to ensure that the Personal Information is complete, accurate, not misleading and up to date.

Under the Accuracy principle, GDPR requires the Controller (again, this the party who decides what to do with the Personal Data) to take reasonable steps to ensure the accuracy of the Personal Data, to ensure that the source and status of the data is clear, consider any challenges to the accuracy of the information and to update the information.

These two similar principles provide the first instance where documents signed with digital signatures provide assistance with compliance. The application of a digital signature or an advanced electronic signature requires an identity verification process of the person applying the signature.

This process requires that some form of identity document, such an identity card or passport be used to identify the individual to whom the signature is issued. In certain cases, a face-to-face identification process is even required.

This provides certainty as to the identity of the user of the digital signature. It is also called non-repudiation in that the person who uses the signature cannot deny their usage of it. So, the first benefit of digital signatures in terms of POPIA and GDPR is that it clearly defines who the data subject is.

The second benefit of the digital signature is data integrity. Any document that is signed with a digital or advanced electronic signature, has a digital certificate attached to it that ‘locks’ the document. This means that if the content in the document is tampered with in any way, any standard PDF reader will indicate that the document has been tampered with and cannot be trusted. This provides the reader with enough information to determine whether the contents of the document are accurate or not. The two figures below indicate how the standard, free Adobe PDF reader will indicate whether a document’s data integrity is intact or not.  The first one has not been tampered with and the second has been tampered with.

Adobe Reader displays message that digital signature is valid.
Figure 1 - a digitally signed document that can be relied on for purposes of POPIA and GDPR.

Adobe Reader displays error message for tampered document
Figure 2 – a digitally signed document that has been tampered with will indicate that the data Integrity is not intact anymore and cannot be relied on for purposes of POPIA and GDPR.

The second POPIA principle where digitally signed documents can be used to assist with compliance is Security Safeguards. Under this principle organisations are required to secure the integrity and confidentiality of Personal Information.

The equivalent GDPR principle is Integrity and confidentiality and requires that Personal Data is processed securely by appropriate technical and organisational measures.

One can immediately draw the parallels to digital signatures, in that a digitally signed document provides more security than one that is not digitally signed. As per the above example, it is easy to see when a document has been tampered with and if that document contains Personal Information, the digital signature provides the security that one needs to know whether the document can be trusted or not. 

Finally, not necessarily defined as a principle, but as a fundamental concept in most data privacy legislation, we have the concept of consent, and more specifically express consent. This concept requires that in the absence of another reasonable ground for the processing of Personal Information, the Data Subject (the person whose Personal Information is being processed) must provide express consent for such processing.

In POPIA specifically, consent is one of the most important facets of the Act and it requires that informed consent must be given freely and willingly, and any Responsible Party will have a duty to be able to demonstrate that such consent was given.

This is probably the best use case for digital signatures under POPIA, because, as per the examples above, one can create consent forms that require a digital signature. The digital signature of an identified person on a consent form, will prove several things, namely:

  • That the person is who they claimed to be (because of the identity verification process)
  • That the request for consent was provided to the person (the PDF document is the proof)
  • That the person agreed to provide consent (the digital or advanced electronic signature provides that evidence).
  • The digital signature will show invalid if the document was altered in any way so if a person did not provide consent and someone tried to change that status, the document itself will show that it cannot be trusted.
  • The long-term validation of digital signatures will show that the person signed the document, many years after the consent was initially obtained.

If one could show the Information Regulator (the agency in South Africa responsible for POPIA compliance and enforcement) or a data subject that disputes that they provided consent that consent was obtained in this fashion, it will serve as almost irrefutable evidence of the request for and provision of consent.

Next we will look at the specific role that the SigningHub application can play in POPIA and GDPR compliance.

The role of SigningHub in POPIA / GDPR compliance

Next we turn to the role of the SigningHub application itself in assisting organisations with their POPIA and GDPR compliance duties.  The first comparable principles one is again drawn to is information quality or accuracy.

Through using the SigningHub application a very comprehensive audit trail is created for every document that is signed.  It tracks the document from first upload and thereafter logs and independently timestamps every single action taken on that document until final download, which provides a great source of evidence for proving data integrity and accuracy.

In addition, SigningHub is a secure application that makes use of TLS encryption to access the portal. Document signing can also be set to be completed through two or more factors of authentication, ensuring that only the intended recipient of the document can sign the document. Documents that are stored in SigningHub (even though its main purpose is not to act as a document repository) are also stored securely making use of AES 256-bit encryption.

All these security measures will ensure that where SigningHub is used to sing documents, these documents will meet the security safeguards or data security requirements of POPIA and GDPR, as these standards meet the current requirements for generally accepted information security protocols as required by both pieces of legislation.

A third POPIA and equivalent GDPR principle where SigningHub can aid with compliance is Further Processing Limitation or Purpose Limitation. In terms of these principles Personal Information may only be processed for the declared purpose and any further processing must be in line with that initial reason. The problem that many organisations will face is that once a document has been shared by its author, they have no control over what happens to that document or who will share it further on.

Through its workflow process, SigningHub can control who can access a document and what they can do with that document. It has the ability to prevent copying, downloading or printing by parties that should not have those rights and additionally because the workflow is controlled, only the relevant parties will be able to access the document, until it is finally saved in the a document management system where other rights management and data loss prevention tools can take over.

The above provides an example of some of the features and capabilities of digital signatures and the SigningHub application and how they can assist organisations in their POPIA and GDPR compliance processes. As stated in the introduction to this document there is no single tool that can ensure complete POPIA and GDPR compliance and SigningHub is just one tool in the arsenal of an organisation that can assist with compliance.

It is also important to look at tools that can assist with data and email encryption as part of compliance. For more information about digital signatures, SigningHub or data and email encryption tools, visit www.lawtrust.co.za or send an email to info@lawtrust.co.za