6 ways the GDPR and U.S. handle data breaches differently

7 May, 2018

Europe has used the United States’ model for data-breach notifications to design its General Data Protection Regulation (GDPR). While these two models may have the same desired end result, the details within them show us two very different laws.

Let’s look at six ways the GDPR differs from the privacy laws in the United States.

1. Defining ‘data breach’

In the U.S., the definition of what triggers a data-breach notification is the “unauthorized access or acquisition” of sensitive materials, such as Social Security numbers. The GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”

2. Risk of harm threshold

Per the GDPR, only breaches that pose a risk to an individual’s “rights or freedoms” must be reported. Within the U.S. data-breach laws, there is no such standard set in plain verbiage.

3. Strong security measures

The GDPR provides that “if appropriate technical and organizational measures” were in place to protect the data, the company does not need to report the breach. In the U.S., this is limited to data that is encrypted during storage.

4. Notification timing

Per U.S. data-breach laws, companies have 5 to 30 days to send out notifications. The GDPR states companies must send notifications “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

5. Content of notifications

The U.S. uses a pick-and-choose method for what companies must include in their notification letters. The GDPR sets a standard in which companies must specify the nature of the data, contact information for further details, and measures taken to reduce risk.

6. Post-mortem documentation

U.S. playbooks usually offer a post-mortem process after a breach, but there is no law set for this. The GDPR requires all companies to document the post-breach process and make a plan to ensure it doesn’t happen again.

As the GDPR goes into effect this month, we will see how much the U.S. laws are willing to change in order to achieve the same standard.



Is Blockchain the Next Internet?

10 June, 2019


Company Update: Announcing the Launch of Legacy Locket

4 June, 2019


Why We Need More Women in Blockchain

28 May, 2019


Deep dive: blockchain's potential impact in developing countries

8 May, 2019


10 influential people in the blockchain and crypto space

1 May, 2019


Women Increasingly Taking Leadership Roles in the Blockchain Sector

22 April, 2019



Request early access to Legacy Locket:

  • This field is for validation purposes and should be left unchanged.

Private Beta opens July 2019

Pin It on Pinterest

Please fill out this form to get Whitelisted for the Token Sale.





Genuine photograph of the investor's official document such as a passport.


Are you an accredited US investor?


I certify that I will be the holder of these tokens.


I certify that I'm not included in any PEP lists, sanctions or other watchlists.