GDPR – What You Need to Know
What is the GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which replaces the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It was implemented on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Does the GDPR apply to you?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it also applies to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR applies to you.
Lead Liaison now hosts a suite of features that help companies satisfy many data privacy requirements set forth by the European Union’s (EU) General Data Protection Regulation (GDPR). Keep in mind that your company doesn’t have to be based in the EU. If your company markets products or services to residents/citizens in the EU, then you’ll benefit from some or all of these new features. View those features here.
Legal Document Changes
The following documents were already in existance or have been updated to fully comply with GDPR regulations.
Security & Policy Document Updates
- Data Architecture, Privacy, and Security Policy document
- Infrastructure and Sub-Processors for the Lead Liaison Services document
- Lead Liaison Notices and License Information
Transfers Outside the EU
Is double-opt-in mandatory?
For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR is in fact silent on whether this form of consent is required. Recital 32 of the GDPR adds additional clarity on what consent means under the regulation and again, no express requirement for double-opt-in consent. Recital 32 states:
At the time of writing, there is no official guidance from the Article 29 Working Group in the EU which suggests that this mechanism is mandatory under the GDPR. Lead Liaison will be keeping an eye on developments and advice in this area and will update this page in the event that any official guidance on this topic is issued by the EU.
Note that Lead Liaison has built in mechanisms to manage opt-in requests and configure subscription to Lists and Categories.
Will data now have to be stored in the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as “white listed countries”), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.
Note that Lead Liaison is Privacy Shield certified and also offers a Data Protection Agreement upon request.