By: Abby L. Sacunas, Esq. and Ude Lu, Ph.d., Esq., Cozen O’Connor
The new European Union (EU) privacy law, General Data Protection Regulation (GDPR), was effective on May 25, 2018. GDPR protects natural persons residing in the EU. Companies collecting any personal data that can directly or indirectly be used to trace back to a natural person residing in the EU are regulated under GDPR, regardless of where the company is headquartered. As a result, many U.S. manufacturers and distributors are subject to the regulation of GDPR.
Here are a few highlights of GDPR:
- Penalties. GDPR penaltiescan be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater.
- Withdrawal of consent. Youmust provide mechanisms for your clients to withdraw their consent. Withdrawal of consent be as easy as to give consent.
- Breach notification. Data breach notificationmust be done within 72 hours of first awareness of breach in all EU member states.
- Right to access. EU individual has the right to request a report of what data of him/her were collected by you.
- Right to be forgotten. EU individualhas the right to have you erase his/her personal data and cease further processing of the data.
In view of the severe penalty provided by the GDPR, it is of the upmost importance for your company to be in compliance. At a minimum, we recommend companies institute the following:
- EU-US Privacy Shield. The U.S. signed an agreement with the EU to establish this EU-US privacy shield (the “Shield”). The Shield provides a framework for cross-border data transfers from the EU to US. Shield participating companies will encounter US agencies, instead of EU agencies, when facing governmental investigations.