6 ways the GDPR and U.S. handle data breaches differently

7 May, 2018

Europe has used the United States’ model for data-breach notifications to design its General Data Protection Regulation (GDPR). While these two models may have the same desired end result, the details within them show us two very different laws.

Let’s look at six ways the GDPR differs from the privacy laws in the United States.

1. Defining ‘data breach’

In the U.S., the definition of what triggers a data-breach notification is the “unauthorized access or acquisition” of sensitive materials, such as Social Security numbers. The GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”

2. Risk of harm threshold

Per the GDPR, only breaches that pose a risk to an individual’s “rights or freedoms” must be reported. Within the U.S. data-breach laws, there is no such standard set in plain verbiage.

3. Strong security measures

The GDPR provides that “if appropriate technical and organizational measures” were in place to protect the data, the company does not need to report the breach. In the U.S., this is limited to data that is encrypted during storage.

4. Notification timing

Per U.S. data-breach laws, companies have 5 to 30 days to send out notifications. The GDPR states companies must send notifications “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”

5. Content of notifications

The U.S. uses a pick-and-choose method for what companies must include in their notification letters. The GDPR sets a standard in which companies must specify the nature of the data, contact information for further details, and measures taken to reduce risk.

6. Post-mortem documentation

U.S. playbooks usually offer a post-mortem process after a breach, but there is no law set for this. The GDPR requires all companies to document the post-breach process and make a plan to ensure it doesn’t happen again.

As the GDPR goes into effect this month, we will see how much the U.S. laws are willing to change in order to achieve the same standard.



Hello from the Veritoken Global CEO

29 January, 2019


OECD conference to examine blockchain's impact

4 September, 2018


How Blockchain is Being Used to Verify Bank Accounts Online

28 August, 2018


10 influential people in the blockchain and crypto space

2 August, 2018


Follow-up report: congressional hearing on crypto

1 August, 2018


Gibraltar's new blockchain exchange opens to public trading

31 July, 2018



Download the White Paper:

White Paper PDF

Pin It on Pinterest