By: Christopher Wheaton, Privacy & Compliance Counsel
As the General Data Protection Regulation (GDPR) implementation date of May 2018 quickly approaches, many companies are struggling to understand their compliance obligations. With penalties of €10 million or 4% of global annual turnover, you’d need more than a sports almanac and a time-traveling DeLorean to pay the fines!
While Back to the Future is fiction, the issue of consent under the GDPR is real. In general, GDPR Article 7 defines the conditions for obtaining consent to process personal data. Here are some general rules to keep in mind related to consent:
In the same way that Marty was responsible for saving the McFly family, you (as a controller) must ensure that your data subjects consent to your processing and even removal of their personal data. This is not a responsibility that should be taken lightly, particularly given the potential liabilities under the GDPR.
While Marty is advised not to talk to anyone, touch anything or do anything in the future that could cause repercussions for the past, you must be an active participant in your GDPR process. Lucid provides access to a platform that facilitates the purchase of sample between buyers and suppliers; all must be involved in collecting consents for the personal data each processes. That means for every transaction on Lucid’s platform at least three different entities (sometimes more) will collect personal data related to the data subjects who may eventually be chosen to complete surveys. It is not enough for just one entity to handle the consent, as it may not be known to that entity what personal data is being processed by the other entities on other platforms.
“I guess you guys aren’t ready for that yet. But your kids are gonna love it.” – Marty McFly
In general, Lucid plans to obtain consent from each EU data subject on their first entry into our platform. Subsequent entries will not require consent collection as long as we can identify the respondent’s prior consent.
It is important that all parties involved in the transaction look out for one another (most importantly, the data subjects) and seek guidance from your attorneys for any questions.
If you have any questions/comments regarding this blog post, please feel free to contact us at firstname.lastname@example.org.
To be continued…follow this blog series for updates on Lucid’s journey toward GDPR compliance.
Under the GDPR and applicable to European Union data subjects:
 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
 ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.