By: Christopher Wheaton, Privacy & Compliance Counsel
In anticipation of the upcoming General Data Protection Regulation (GDPR) implementation in May of 2018, companies are struggling to understand their compliance obligations. With fines being the greater of €10 million or 4% of global annual turnover, even the best Jedi need help.
A long time ago in a galaxy not too far away, our Founder and CEO, Patrick Comer, had a vision to create a platform that automates the buying and selling of human answers. As part of this mission, we have suppliers and buyers participating in our online marketplace, the Fulcrum Platform. To fulfill our destiny as the leader of the human answers industry, Lucid has begun its journey toward compliance with GDPR. As we think about GDPR compliance and its implications on Lucid, we must also consider how this regulation will affect our suppliers and buyers.
As Rey would say, show us our place in all of this. There are potentially numerous obligations for each participant in a sample transaction, depending on how and by whom the Personal Data is being processed and controlled. Depending on our role in the services being performed, Lucid may be the processor or controller (and for certain transactions, Lucid may be both). In general, the suppliers and buyers of EU sample on the Fulcrum Platform are controllers who have contracted with Lucid to process such EU sample, which makes Lucid the processor. There are other, more complicated scenarios, but this is a blog post, so we’ll leave it at that for now.
As a GDPR compliance readiness step (and to help our suppliers selling EU sample on the Fulcrum Platform), Lucid has, through our Supplier Quality Program, surveyed them to determine where each is on their compliance journey. Among the topics Lucid chose to survey are:
- Development of a GDPR Privacy Compliance Plan to demonstrate Privacy by Design;
- Creation of a consent management program;
- Establishment of a data-processing activities mapping/inventory and justification for processing such data;
- Creation of a Data Subject Access Rights procedure;
- Development of a Right to Erasure or Right to be Forgotten procedure;
- Foundation of the required Information Security Policy;
- Generation of a Beach/Incident Management plan;
- Execution of a Data Protection Impact Assessment (DPIA) and Privacy Impact Assessments (PIA); and
- Appointment of a Data Privacy Officer (DPO).
As Lucid’s suppliers work toward GDPR compliance, they will be asked to self-certify such compliance to continue selling EU sample on the Fulcrum Platform by May of 2018. Buyers will be responsible to their customers and the respondents sourced through the Fulcrum Platform to the extent Personal Data is collected by the buyer in off-platform surveys.
If you have any questions/comments regarding this blog post, please feel free to contact us at firstname.lastname@example.org.
To be continued….follow this blog series for updates on Lucid’s journey toward GDPR compliance. May the force be with you.
Under the GDPR:
 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
 ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.