When it comes to data privacy laws, Lucid has a unique responsibility. Many of the buyers, suppliers, and survey respondents on our platform are impacted differently by GDPR. This page is intended to be a resource for Lucid’s clients and partners to better understand how privacy laws affect their current business practices.

We encourage everyone in our industry to understand their role in GDPR.


What is GDPR?
The General Data Protection Regulation (GDPR) outlines new privacy and security requirements for organizations that process personal data from EU individuals. It took effect on May 25, 2018.

GDPR strengthens existing data privacy laws in the European Union (EU) and broadens the privacy rights of EU citizens.

Are you affected?
All of Lucid’s clients and partners must comply with the GDPR requirements if they process personal data from EU citizens or non-citizens who are located in the EU.

That means all buyers, suppliers and vendors are responsible for meeting these standards if they are involved in data collection, storage, transfer, dissemination or erasure for EU individuals.


Personal Data: Information that can (directly or indirectly) identify a person (“data subject”). Specifically, this includes identifying a person’s name, identification number, location data, or an online identifier. It may also include one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Data subject: An identifiable natural person.

Processing: Any operation performed on Personal Data. This includes collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Controller: The person or entity that determines the purposes and means of processing Personal Data.

Processor: The person or entity that processes Personal Data on behalf of the Controller.

Consent: Occurs when the data subject freely gives specific, informed and unambiguous indication of agreement to the processing of his or her Personal Data.


In a data marketplace, GDPR means ensuring compliance among all marketplace users and participants.

Buyers should be aware of their own consent-gathering obligations when acquiring Personal Data from the Respondents in surveys.

Supply partners must be GDPR compliant and self-certify their compliance to Lucid. Supply Partners must be GDPR compliant and complete a GDPR questionnaire. If a supply partner is obligated to be GDPR compliant and is not, they will not be allowed to participate in the marketplace.

Respondents should be fully aware and informed of the purpose and use of their Personal Data before consenting to any entity requesting their consent. They should also track which entities and/or websites they have given consent for future use (such as subject access rights requests).


Lucid takes “Privacy by Design” principles into consideration every step of the process. This approach involves embedding privacy standards into our software, networks, and business practices.

Using the Privacy by Design framework, we have implemented privacy protection methods that ensure the security of data that we process.

Every time we release a new product or service, Lucid conducts privacy impact and data protection impact assessments to determine where and how a person’s data will be stored. This mitigates any privacy or security issues before the product is even launched.


Lucid has completed the following 9 steps to achieve GDPR compliance:

  1. Development of a GDPR Privacy Compliance Plan to demonstrate Privacy by Design
  2. Creation of a Consent Management Program
  3. Establishment of a data-processing activities mapping/inventory and justification for processing such data
  4. Creation of a Data Subject Access Rights procedure
  5. Development of a Right to Erasure or Right to be Forgotten procedure
  6. Enhancing Information Security Policy
  7. Generation of a Breach/Incident Management plan
  8. Execution of Data Protection Impact Assessments (DPIA) and Privacy Impact Assessments (PIA)
  9. Appointment of a Data Protection Officer (DPO)


Additional GDPR resources:

Do you have questions about GDPR compliance?