June 19, 2018

By: Abby L. Sacunas, Esq. and Ude Lu, Ph.d., Esq., Cozen O’Connor

The new European Union (EU) privacy law, General Data Protection Regulation (GDPR), was effective on May 25, 2018. GDPR protects natural persons residing in the EU. Companies collecting any personal data that can directly or indirectly be used to trace back to a natural person residing in the EU are regulated under GDPR, regardless of where the company is headquartered. As a result, many U.S. manufacturers and distributors are subject to the regulation of GDPR.


Here are a few highlights of GDPR:

  • Penalties. GDPR penaltiescan be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater.
  • Consent. Client’s explicit consent to your privacy policy is required.Implied consent is not allowed. Consent request must be in simple, easy-to-read languages.
  • Withdrawal of consent. Youmust provide mechanisms for your clients to withdraw their consent. Withdrawal of consent be as easy as to give consent.
  • Breach notification. Data breach notificationmust be done within 72 hours of first awareness of breach in all EU member states.
  • Right to access. EU individual has the right to request a report of what data of him/her were collected by you.
  • Right to be forgotten. EU individualhas the right to have you erase his/her personal data and cease further processing of the data.

In view of the severe penalty provided by the GDPR, it is of the upmost importance for your company to be in compliance. At a minimum, we recommend companies institute the following:

  • Privacy Policy. Adopt a public privacy policy (e.g., published on the company’s website) addressing at least the following topics: what personal information about your client do you collect, what is the purpose for collecting the information, how is the information used, with whom you share the collected information, what is the data retention policy, what are your clients’/customers’ rights regarding the collected information, how is the information safeguarded, how is cross-border data transfers conducted, who should be contacted about any concerns or complaints about privacy, etc.
  • Internal Privacy Practice. The privacy policy is an enforceable public commitment. Merely having a privacy policy published on the website is insufficient to be in compliant with GDPR. Your company needs to implement extensive internal privacy practices throughout all departments (e.g., customer service, marketing, human resource, information technology, research and development) to ensure every commitment promised in the privacy policy is kept.
  • EU-US Privacy Shield. The U.S. signed an agreement with the EU to establish this EU-US privacy shield (the “Shield”). The Shield provides a framework for cross-border data transfers from the EU to US. Shield participating companies will encounter US agencies, instead of EU agencies, when facing governmental investigations.
  • Notify Existing EU Clients. After you have a new GDPR compliant privacy policy, you should notify your existing EU clients about it and solicit explicit consent to the new privacy policy. Without an explicit consent, the company cannot use the personal data under GDPR.