GDPR – What You Need to Know
GDPR Takes Effect on May 25 2018 in…
What is the GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.
Does the GDPR apply to you?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Changes to Lead Liaison
As we approach May 2018, Lead Liaison is focused on GDPR compliance efforts. During this implementation period for the Regulation, we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline. You’ll receive notifications of new functionality and changes to our Terms as required. We’ll also be updating this page with new advancements as we get closer to May 2018.
Our technical and security teams are currently hard at work making necessary changes to the Lead Liaison service to ensure we’re compliant by the May 2018 deadline and to help you meet your obligations under the GDPR to the extent that you use Lead Liaison to collect and store EU personal data. As we approach the May 2018 deadline, we’re taking steps to ensure that both we and our product are compliant with the GDPR in advance of the deadline, and recommend that those interested keep an eye on this page.
Legal Document Changes
Transfers Outside the EU
Will double-opt-in be mandatory?
For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR is in fact silent on whether this form of consent is required. Recital 32 of the GDPR adds additional clarity on what consent means under the regulation and again, no express requirement for double-opt-in consent. Recital 32 states:
At the time of writing, there is no official guidance from the Article 29 Working Group in the EU which suggests that this mechanism is mandatory under the GDPR. Lead Liaison will be keeping an eye on developments and advice in this area and will update this page in the event that any official guidance on this topic is issued by the EU.
Note that Lead Liaison has built in mechanisms to manage opt-in requests and configure subscription to Lists and Categories.
Will data now have to be stored in the EU?
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as “white listed countries”), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.
Note that Lead Liaison is Privacy Shield certified and also offers a Data Protection Agreement upon request.