GDPR – What You Need to Know


Disclaimer: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Lead Liaison has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this document as legal advice, nor as a recommendation of any particular legal understanding.

GDPR Takes Effect on May 25 2018 in…


What is the GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

The full text of the GDPR can be found here.

Does the GDPR apply to you?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

Changes to Lead Liaison

As we approach May 2018, Lead Liaison is focused on GDPR compliance efforts. During this implementation period for the Regulation, we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline. You’ll receive notifications of new functionality and changes to our Terms as required. We’ll also be updating this page with new advancements as we get closer to May 2018.

Product Changes

Our technical and security teams are currently hard at work making necessary changes to the Lead Liaison service to ensure we’re compliant by the May 2018 deadline and to help you meet your obligations under the GDPR to the extent that you use Lead Liaison to collect and store EU personal data. As we approach the May 2018 deadline, we’re taking steps to ensure that both we and our product are compliant with the GDPR in advance of the deadline, and recommend that those interested keep an eye on this page.

Legal Document Changes

Our Legal team is also busy ensuring our Terms of Service, Data Processing Agreement and Privacy Policy will be updated to reflect any product changes and to include the mandatory Processor provisions required by Article 28 of the GDPR.

Transfers Outside the EU

Lead Liaison maintains a Privacy Shield certification with the U.S. Department of Commerce which ensures that adequate safeguards are in place when we transfer personal data from the EU to the US. References to our Privacy Shield certification are included in our Privacy Policy. We also offer a Data Processing Agreement, which contains the EU approved Model Clauses, to certain EU/EEA based customers upon request. Since the rules regarding transfers of personal data abroad don’t change under the GDPR we’ve already got you covered!

Common Questions

Will double-opt-in be mandatory?

For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR is in fact silent on whether this form of consent is required. Recital 32 of the GDPR adds additional clarity on what consent means under the regulation and again, no express requirement for double-opt-in consent. Recital 32 states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

At the time of writing, there is no official guidance from the Article 29 Working Group in the EU which suggests that this mechanism is mandatory under the GDPR. Lead Liaison will be keeping an eye on developments and advice in this area and will update this page in the event that any official guidance on this topic is issued by the EU.

Note that Lead Liaison has built in mechanisms to manage opt-in requests and configure subscription to Lists and Categories.

Will data now have to be stored in the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as “white listed countries”), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.

Note that Lead Liaison is Privacy Shield certified and also offers a Data Protection Agreement upon request.

Additional Resources