7 May, 2018
Europe has used the United States’ model for data-breach notifications to design its General Data Protection Regulation (GDPR). While these two models may have the same desired end result, the details within them show us two very different laws.
Let’s look at six ways the GDPR differs from the privacy laws in the United States.
In the U.S., the definition of what triggers a data-breach notification is the “unauthorized access or acquisition” of sensitive materials, such as Social Security numbers. The GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
Per the GDPR, only breaches that pose a risk to an individual’s “rights or freedoms” must be reported. Within the U.S. data-breach laws, there is no such standard set in plain verbiage.
The GDPR provides that “if appropriate technical and organizational measures” were in place to protect the data, the company does not need to report the breach. In the U.S., this is limited to data that is encrypted during storage.
Per U.S. data-breach laws, companies have 5 to 30 days to send out notifications. The GDPR states companies must send notifications “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
The U.S. uses a pick-and-choose method for what companies must include in their notification letters. The GDPR sets a standard in which companies must specify the nature of the data, contact information for further details, and measures taken to reduce risk.
U.S. playbooks usually offer a post-mortem process after a breach, but there is no law set for this. The GDPR requires all companies to document the post-breach process and make a plan to ensure it doesn’t happen again.
As the GDPR goes into effect this month, we will see how much the U.S. laws are willing to change in order to achieve the same standard.