What GDPR privacy requirements mean for U.S. businesses

alphaspirit - Fotolia

This article is part of our Essential Guide: GDPR compliance requirements and how to best fulfill them

GDPR breach notification rule could complicate compliance

Don't forget the huge fines: When it comes to the new 72-hour GDPR breach notification rule, the cost of compliance must be weighed against harsh GDPR penalties.

When the EU begins enforcing its new General Data Protection Regulation next year, all companies -- whether they're...

located in the EU or not -- that collect, store or process personal data for people residing in the EU will be required to notify the appropriate authorities of breaches within 72 hours after discovery.

In the past, some companies have been more willing to pay fines over compliance failures than pay the cost of becoming compliant with privacy regulations. However, the new GDPR breach notification requirement could force change for the better in terms of timely notification, because failure could mean fines as high as 4% of the organization's global annual revenue or 20 million euros -- whichever is higher.

Nigel Hawthorn, ‎EMEA marketing director at Skyhigh Networks, a cloud security company headquartered in Campbell, Calif., said the reason for the high fines specified by the GDPR breach notification requirement was to put more pressure on companies to change that behavior.

"To put this into perspective, the original data protection legislation was passed in the EU in 1995, so organizations have had over 20 years to get their act together -- and some have decided it is more cost-effective to risk being caught out and fined, rather than be honest and admit to a breach," Hawthorn said, adding that individual countries may add even more pressure. "In Germany, for example, there is a draft of legislation that can imprison people for up to three years for knowingly leaking [personally identifiable information] to increase the pressure to do the right thing."

Patrick McGrath, director of solutions marketing at Commvault, a data protection company headquartered in Tinton Falls, N.J., said, "A 72-hour notification window is far more aggressive than what is currently defined by U.S. state laws. Many U.S. companies are dragging their heels on GDPR and have a false assumption that they will not [be] impacted by GDPR regulations."

"In the past, it was seen as less expensive to pay the fines if you got caught than it was to become fully compliant with regulations, which will require a significant number of business and data management practices. With GDPR, the fines are so significant and cannot be ignored. Organizations that provide visibility across all data sources and the ability to automate data policies will have a head start into their GDPR readiness," McGrath added.

Drew Nielsen, chief trust officer at cloud data protection provider Druva, based in Sunnyvale, Calif., said, "While European citizens and nation states have been emphatic since the end of World War II about the privacy of their information, the same cannot be said for the United States. This lack of privacy awareness in the U.S. has translated into American businesses historically dragging their feet when it comes to breach notification."

GDPR breach notification could help everywhere

Although enforcement of GDPR will be limited to protecting the personal data of EU residents, the regulation could force organizations to be more open about data breaches, no matter who is affected.

"When they first become aware of a breach, most organizations won't be able to confirm that no data from EU residents has been compromised," said Jason Rose, senior vice president of marketing at Gigya Inc., a customer identity and access management company headquartered in Mountain View, Calif. "So, they'll have to provide notification of all breaches involving customer data to mitigate the risk of noncompliance."

The GDPR breach notification rule is also expected to motivate organizations to report breaches more promptly than has previously been the case.

"Until now, U.S. companies have had the luxury of hiding data breaches from their clients and other stakeholders for a set period of time -- often times, until absolutely necessary," said Lacy Gruen, director at RES Software, a digital workspace company headquartered in Radnor, Pa. "GDPR will bring with it a paradigm shift in how organizations interact with their stakeholders when it comes to notification of these breaches, and [it] will usher in an era of increased transparency. U.S. companies will absolutely need to adjust to the 72-hour data breach notification period under the GDPR to avoid not only hefty fines, but also to avoid reputational damage."

Under GDPR, breach notification requires an organization to notify the appropriate data protection authority (DPA) of any breach "[no] later than 72 hours after having become aware of it," unless it can show that the data breach does not "result in a risk to the rights and freedoms of natural persons." If the notification cannot be made within three days, the organization must be able to explain the need for the delay.

"Understandably, the challenge is many companies want to understand the impact of the breach before they notify customers and create any panic," said Elizabeth Maxwell, mainframe technical director at Compuware Corp., a mainframe software company headquartered in Detroit. The initial breach report is required to be sent to the appropriate DPA, while notification of data subjects must be done "without undue delay," according to the GDPR regulation.

"We think it is fair to require a type of 'general notification,' followed by more specifics," Maxwell said.

One of the potential benefits of becoming GDPR-compliant in advance of any potential breaches is companies can take GDPR as a motivation to improve their breach detection and analysis game.

"Companies that understand that detective controls and analysis are important will see breach notification times drop, because they will put controls in place to detect these breaches. These controls will alert them when something goes wrong far faster than ever before, because they never had this before," said Brian Vecci, technical evangelist at insider threat protection vendor Varonis Systems, based in New York.

As for companies that continue to put off improving their breach notification game, Vecci said, "It really doesn't matter whether the breach notification will be mandated for the U.S., because it is inevitable that this type of legislation will be written here. Companies can either comply with GDPR now or a similar legislation in the future, and we'll see many comply now because it's just good business."

According to Nielsen, the prospects for widespread GDPR compliance in the U.S. could depend on how the EU treats the first violations of the regulation.

"While GDPR mandates breach notification within 72 hours, this will likely not improve the response times in the U.S. until the first financial penalties are levied against a U.S. organization that violates Article 33 [of GDPR]," Nielsen said. "The severity of the fine and the outcome of any subsequent litigation will most likely have a direct impact [on] whether U.S. companies improve their current processes for incident response, business continuity and breach notification."

Getting ready to comply with GDPR breach notification rule

Three days is not a lot of time to even confirm a data breach.
Richard Stiennonchief strategy officer at Blancco Technology Group

U.S. companies should expect to change some of their processes and standards to comply with the upcoming regulation.

"GDPR will force companies to take a proactive stance at managing the lifecycle of personal data to ensure that consent is received from each individual about the data that will be stored and processed," McGrath said. Under GDPR, "individuals also have the right for full disclosure, to receive copies of the personal data and to erase instances of personal data -- all of which must be fulfilled within a month of receiving the request at no charge to the individual."

Gruen suggested that hiring a data protection officer (DPO) will be necessary, but not sufficient, to enable U.S. companies to comply with the GDPR breach notification protocol.

"In addition to hiring a [DPO], U.S. companies will need to rely on the latest technology to abide by this rule, including using automation to collect data and to secure it. The previous EU directives for data protection were not anywhere near today's version of GDPR and certainly didn't have the penalties in place if someone was found out of compliance after a breach," Gruen said. "Nobody will want to be the first to be found noncompliant because it will likely be very expensive and certainly make headlines."

Richard Stiennon, chief strategy officer at Blancco Technology Group, a data security company headquartered in Alpharetta, Ga., said, "Most organizations are going to have to re-examine their incident response plans. If they have a DPO who can establish a rapport with his [or] her counterpart at the data-supervisor level, it will help. Three days is not a lot of time to even confirm a data breach."

"In the past, it has taken organizations lengthy periods of time to establish what happened, determine how much data is impacted and what steps need to be taken to prevent it from happening again, all before communicating to authorities. In the future, as soon as they confirm a breach, [the regional Data Protection Supervisor] should be notified even before all the details are known. Be forthcoming with as much as you know and demonstrate openness -- you are not trying to obfuscate."

Next Steps

Read how the Dutch have pioneered breach notification legislation

Learn more about GDPR breach notification compliance

Get the essential guide to the EU GDPR

Dig Deeper on Compliance