GDPR – What You Need to Know

Disclaimer

Disclaimer: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Lead Liaison has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In summary, you may not rely on this document as legal advice, nor as a recommendation of any particular legal understanding.

What is the GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which replaces the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It was implemented on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

The full text of the GDPR can be found here.

Does the GDPR apply to you?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it also applies to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR applies to you.

Product Changes

Lead Liaison now hosts a suite of features that help companies satisfy many data privacy requirements set forth by the European Union’s (EU) General Data Protection Regulation (GDPR). Keep in mind that your company doesn’t have to be based in the EU. If your company markets products or services to residents/citizens in the EU, then you’ll benefit from some or all of these new features. View those features here.

Legal Document Changes

The following documents were already in existance or have been updated to fully comply with GDPR regulations.

Existing Policies

Security & Policy Document Updates

Legal Updates

Transfers Outside the EU

Lead Liaison maintains a Privacy Shield certification with the U.S. Department of Commerce which ensures that adequate safeguards are in place when we transfer personal data from the EU to the US. References to our Privacy Shield certification are included in our Privacy Policy. We also offer a Data Processing Agreement, which contains the EU approved Model Clauses, to certain EU/EEA based customers upon request. Since the rules regarding transfers of personal data abroad don’t change under the GDPR we’ve already got you covered!

Common Questions

Is double-opt-in mandatory?

For those unfamiliar with this term, “double-opt-in” is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR is in fact silent on whether this form of consent is required. Recital 32 of the GDPR adds additional clarity on what consent means under the regulation and again, no express requirement for double-opt-in consent. Recital 32 states:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

At the time of writing, there is no official guidance from the Article 29 Working Group in the EU which suggests that this mechanism is mandatory under the GDPR. Lead Liaison will be keeping an eye on developments and advice in this area and will update this page in the event that any official guidance on this topic is issued by the EU.

Note that Lead Liaison has built in mechanisms to manage opt-in requests and configure subscription to Lists and Categories.

Will data now have to be stored in the EU?

No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as “white listed countries”), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.

Note that Lead Liaison is Privacy Shield certified and also offers a Data Protection Agreement upon request.

Additional Resources

  1. Locate your Supervisory Authority
  2. Full GDPR text (in German)
  3. EU’s GDPR
  4. EU Data Protection Supervisor
  5. Guidance from the German Federal Commissioner for Data Protections’ on the GDPR
  6. Irish Data Protection Commissioner’s GDPR