By: Christopher Wheaton, Privacy & Compliance Counsel
As the General Data Protection Regulation (GDPR) implementation date of May 2018 quickly approaches, many companies are struggling to understand their compliance obligations. With penalties of €10 million or 4% of global annual turnover, you’d need more than a sports almanac and a time-traveling DeLorean to pay the fines!
While Back to the Future is fiction, the issue of consent under the GDPR is real. In general, GDPR Article 7 defines the conditions for obtaining consent to process personal data. Here are some general rules to keep in mind related to consent:
- The controller must demonstrate that the data subject has consented to the processing of his or her personal data.
- The controller’s request for consent should be presented to the data subject in a manner that is specific to the personal data being processed. Be transparent by using clear and plain language!
- The data subject must be given the right to withdraw his or her consent at any time.
In the same way that Marty was responsible for saving the McFly family, you (as a controller) must ensure that your data subjects consent to your processing and even removal of their personal data. This is not a responsibility that should be taken lightly, particularly given the potential liabilities under the GDPR.
While Marty is advised not to talk to anyone, touch anything or do anything in the future that could cause repercussions for the past, you must be an active participant in your GDPR process. Lucid provides access to a platform that facilitates the purchase of sample between buyers and suppliers; all must be involved in collecting consents for the personal data each processes. That means for every transaction on Lucid’s platform at least three different entities (sometimes more) will collect personal data related to the data subjects who may eventually be chosen to complete surveys. It is not enough for just one entity to handle the consent, as it may not be known to that entity what personal data is being processed by the other entities on other platforms.
“I guess you guys aren’t ready for that yet. But your kids are gonna love it.” – Marty McFly
- Suppliers are obligated to collect consents from their data subjects before processing their personal data. This most likely happens when an individual becomes a member of the supplier’s platform, panel, or other service offerings.
- Lucid is obligated to collect consents from data subjects who land on our platform. These consents –related to the personal data collected and processed by Lucid –must happen prior to sending the data subjects onto the buyers’ survey hosting platforms.
- Buyers (and their survey hosting platforms) must collect consents from the data subject survey-takers related to any personal data collected as part of the final surveys.
In general, Lucid plans to obtain consent from each EU data subject on their first entry into our platform. Subsequent entries will not require consent collection as long as we can identify the respondent’s prior consent.
It is important that all parties involved in the transaction look out for one another (most importantly, the data subjects) and seek guidance from your attorneys for any questions.
If you have any questions/comments regarding this blog post, please feel free to contact us at firstname.lastname@example.org.
To be continued…follow this blog series for updates on Lucid’s journey toward GDPR compliance.
Under the GDPR and applicable to European Union data subjects:
 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
 ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
 ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.