When looking at data breach rules, it is interesting to look at the comparison between Europe and the United States. Since the General Data Protection Regulation (GDPR) was implemented in the European Union last month, businesses have begun to notice that this legislation relates to the personal data of all EU residents not just those living in EU countries.
Personal data breaches have become an area of major concern. Under GDPR, personal data is defined as any personal information that would make any EU resident identifiable. A lot of this data could be perceived as sensitive data like race, sexual orientation, religion, politics, union membership, medical information or criminal proceedings.
According to the GDPR legislation personal data breaches are “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
GDPR rules differ from ways in which data breaches are handled. Here we will look at how the GDPR differs from American privacy laws when it comes to personal data.
U.S. privacy rules defines a personal data breach as the “unauthorized access or acquisition of sensitive materials’’. These include names, addresses, and Social Security numbers. The GDPR, however, has a slightly different view. GDPR defines it as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
Risk of personal data in a data breach also has differently viewpoints for the EU and US. Not all data breaches are considered necessary to be reported to Supervisory Authorities with the General Data Protection Regulations. The regulations state that Data Controllers or Data Protection Officers only need to report to the GDPR those breaches where there is a potential infringement of a data subject’s “rights or freedoms”.
In contrast, in American data-breach laws all breaches that may pose a threat to individuals’ personal data must be reported.
Another area where GDPR and American Privacy Laws differ is with security measures. GDPR explains to companies that are involved in the collection and processing of personal data that: “if appropriate technical and organizational measures” are in place to assure protection of the personal data of EU data subjects then, there is no need to report a personal data breach. On the other hand, American Privacy legislation limits breaches to personal data that is encrypted when it is stored.
It is stated in American Privacy legislation that companies have between five and thirty days to report a personal data breach. GDPR warns businesses to notify Supervisory Authorities of GDPR of data breaches “without undue delay and, where feasible, not later than 72 hours after” company personnel to whom the breach should have been reported, i.e. Data Controller/Data Protection Officer.
Another point that differs between the two is what is included in the report of a data breach. American Privacy Act allows companies choose its manner of reporting. It also largely allows them to choose what to include in the report.
On the other hand, GDPR prefer a specific standard form to be used. Businesses are required to describe in detail the nature of the data breach, contact information for Data Controller/Data Protection Officer, information which has been compromised and also measures taken by the company to reduce the risk to the personal data.
In U.S. Privacy Laws, the American legislation expects that there will be a post-mortem process after a breach has occurred. How this should be completed is not specified in the legislation. In contrast, GDPR states that a post-breach should be in place for all businesses that report a breach to Supervisory Authorities of GDPR. The plan is in place to ensure breaches do not occur again. Companies are encouraged to complete this post-breach investigation not just the ones they had to report, but for all personal data breaches.
As the GDPR has just become enforceable, it is still mostly uncertain how U.S. laws concerning privacy of personal data will be affected.