GDPR Overview

Lucid is Ready


At Lucid, we see GDPR as an incredible opportunity. Transparency is one of the core values of our company, and the new regulations will elevate the trust that we already share with our clients and partners. 

When it comes to data privacy laws, we have a unique responsibility. Many of the buyers, suppliers, and survey respondents on our platform are impacted differently by GDPR. This page is intended to be a resource for Lucid’s clients and partners to better understand how privacy laws will affect their current business practices.

As the new regulations take effect, we encourage everyone in our industry to understand their role in GDPR and take the appropriate steps toward compliance.


What is GDPR?
The General Data Protection Regulation (GDPR) outlines new privacy and security requirements for organizations that process personal data from EU individuals. It will take effect on May 25, 2018.

GDPR strengthens existing data privacy laws in the European Union (EU) and broadens the privacy rights of EU citizens.

Will you be affected?
All of Lucid’s clients and partners must comply with the GDPR requirements if they process personal data from EU citizens or non-citizens who are located in the EU.

That means all buyers, suppliers and vendors are responsible for meeting these standards if they are involved in data collection, storage, transfer, dissemination or erasure for EU individuals.

Personal Data: Information that can (directly or indirectly) identify a person (“data subject”). Specifically, this includes identifying a person’s name, identification number, location data, or an online identifier. It may also include one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Data subject: An identifiable natural person.

Processing: Any operation performed on Personal Data. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: The person or entity that determines the purposes and means of processing Personal Data.

Processor: The person or entity that processes Personal Data on behalf of the Controller.

Consent: Occurs when the data subject freely gives specific, informed and unambiguous indication of agreement to the processing of his or her Personal Data.

*These are abbreviated definitions. View the Lucid GDPR Guide  for a full list of legal terms.


In a data marketplace, GDPR means ensuring compliance among all marketplace users and participants. It’s our responsibility to verify that not only Lucid, but others within the platform are also compliant.

Buyers should be aware of their own consent-gathering obligations when acquiring Personal Data from the Respondents in surveys. 

Supply partners must become GDPR compliant and self-certify their compliance to Lucid. If a supply partner is obligated to achieve compliance and does not self-certify, they will not be allowed to participate in the marketplace.

Respondents should be fully aware and informed of the purpose and use of their Personal Data before consenting to any entity requesting their consent. They should also track which entities and/or websites they have given consent for future use (such as subject access rights requests). 


As Lucid prepares for GDPR compliance, we are taking “Privacy by Design” principles into consideration every step of the way. This approach involves embedding privacy standards into our software, networks, and business practices.

Using the Privacy by Design framework, we have implemented privacy protection methods that ensure the security of data that we process. 

Every time we release a new product or service, Lucid conducts privacy impact and data protection impact assessments to determine where and how a person’s data will be stored. This mitigates any privacy or security issues before the product is even launched.


Lucid is completing the following 9 steps to achieve GDPR compliance:

  1. Development of a GDPR Privacy Compliance Plan to demonstrate Privacy by Design
  2. Creation of a Consent Management Program
  3. Establishment of a data-processing activities mapping/inventory and justification for processing such data
  4. Creation of a Data Subject Access Rights procedure
  5. Development of a Right to Erasure or Right to be Forgotten procedure
  6. Enhancing Information Security Policy
  7. Generation of a Breach/Incident Management plan
  8. Execution of Data Protection Impact Assessments (DPIA) and Privacy Impact Assessments (PIA)
  9. Appointment of a Data Protection Officer (DPO)


Additional GDPR resources:

Do you have questions about GDPR compliance?
Contact Elizabeth Fortier, our Data Protection Officer, at

For detailed information on Lucid’s data privacy policies: