Introduction
The newly implemented European Union General Data Protection Regulation (GDPR) requires mandatory breach notifications. The GDPR is a revision of a 1995 directive. To our disappointment, the US has no such federal law. Thus, this means companies must satisfy multiple US laws and that makes it more challenging to comply. This is a GDPR comparative analysis to the US data breach notifications. This study is a comparison of the GDPR with the statutes of the 50 US states. It highlights the challenges companies face. It reveals the types of decisions companies must make to be in compliance with these statutes.
Findings
Notably, this GDPR comparative analysis reveals that the requirements of various laws, statutes, or regulations vary by state, country, and audience. Companies must decide if they will base compliance on the most stringent requirements which can be financially prohibitive. Alternatively, they could meet the minimum requirements which could be managerially prohibitive. A comparison of the GDPR and the statutes related to data breach notifications reveals the types of decisions companies must make. Because the definitions of personal information and data breach vary, a company in one case would be considered to have had a breach. However, in another jurisdiction the company would not. Companies might decide on the behalf of the consumer to notify all their customers.
Further, the time required to notify the consumer or some authority agency varies. A company would likely notify the entities requiring the earliest notification and continue notifications as time permits. Since penalties vary, companies might notify according to those with the costliest penalties first. The contents of data breach notifications are not always specified or consistent. Thus, companies should develop a standard notification provisions for all required entities if the information is available.
Challenges
Briefly, comparative analysis highlights the challenges companies face in trying to comply with multiple regulations. The greatest challenge exists for small businesses. Just knowing the regulations is likely a challenge for an average small business. The GDPR may remain consistent, but the statutes of the 50 US states continue to be amended. In addition, there are the statutes of other countries. More than 100 countries have enacted data protection legislation. Several other countries are in the process of passing such laws with data protection laws (Banisar, 2011).
Further, Banisar notes that data protection laws have been enacted in countries such as Thailand, Mexico, Georgia and Malaysia. The most recent US personal information security breach statutes include new laws in Arizona, South Dakota, and Alabama (Bellamy, 2018). Thus, companies should put into place protections. They need personnel that would help prevent a data breach as per any of these governments’ definitions. Further, this needs to be in addition to a plan to comply with the existing laws. The countries that companies do business in require legal compliance.