Six Similarities Between GDPR & US Regulatory Requirements

As companies collect and store more and more personal information, they face data privacy risks on many fronts. Increasingly, they are being held accountable for protecting their customers’ digital privacy. New regulations, led by Europe’s General Data Protection Regulation (GDPR) in 2018, are quickly becoming normative in countries around the world. In total, 58% of all countries have some form of privacy regulations on the books, and another 10% are drafting legislation. Interestingly, the US, one of the most important data markets in the world, isn’t governed by a national data privacy standard. Instead, states are adopting their own regulations that hold companies accountable for protecting individuals’ data. From California’s Consumer Privacy Act (CCPA) to New York’s SHIELD Act, regulatory standards are changing many companies’ approaches to data security, and they are bringing costly implications for failure.

Of course, complying with multiple, multifaceted data privacy laws can be exceedingly challenging. With that in mind, we’ve identified six similarities between GDPR and US regulatory requirements that can get you started on a path toward compliance.
#1 The definitions of a data breach are intentionally broad.
Privacy regulators aren’t just concerned about addressing the most egregious data breaches. They strive to set a standard that encourages all companies, big and small, to conduct a significant overhaul of their data security protocols. Therefore, the latest privacy regulations are intentionally broad when it comes to defining a data breach.

While the technical definitions vary, privacy regulations make one crucial caveat: bad actors don’t have to misuse data for an event to qualify as a breach. Simply gaining access to viewable personal data gives cybercriminals a check mark next to a data breach incident

#2 Consumers have a right to view the data collected about them.
Europe’s GDPR unleashed a new industry precedent for personal data standards by explicitly giving consumers the right to know the information that’s collected about them. Increasingly, data privacy laws are requiring companies to provide this information in user-friendly formats, and the timeframe for this information is expanding.

For instance, GDPR gave consumers access to thirty days worth of personal data in this format, but the CCPA extends that window to twelve months. However, this does come with a caveat, as consumers are only allowed to request that information twice during the year.

To be sure, some tech companies already offer users access to this personal information, although the usability of this data deluge is often questionable at best. The latest privacy regulations place an indelible priority on data collection, management, and process.

#3 Consumers have a right to be forgotten. 
The internet’s eternality is one of the most ominous features of today’s digital landscape. Misleading information, comments made in bad judgment, and algorithmically-driven personal preferences follow people around online like a shadow that they just can’t shake. However, the latest privacy regulations include a “right to be forgotten” that allows users to have their data deleted.

While the New York SHIELD Act doesn’t specifically require companies to delete personal data, both GDPR and CCPA do. What’s more, CCPA requires businesses to notify third-party service providers who may have access to personal data, which should expand the scope of personal privacy online.

Interestingly, businesses do have an “out.” They can decline to delete personal data if it is considered vital to business operations.

#4 Companies are required to notify customers and regulatory authorities.
Data privacy regulations are pushing for more transparency from companies collecting personal information, and that includes notifying consumers and regulatory authorities after a breach occurs. Both the CCPA and the New York SHIELD Act contain notification requirements that increase the impetus for companies to identify malicious activity quickly and report on the breadth and depth of the incident to all stakeholders.

#5 Companies need to adopt defensive measures.
Most privacy regulations require companies to adopt defensive measures to protect customer data. However, these guidelines are often vague, leaving companies with a priority to embrace rather than a procedural script to follow.

For instance, CCPA and the SHIELD Act requires companies to adopt “reasonable security” measures that help protect customer data. This includes designating an employee to oversee data security priorities, implementing a program to identify internal and external risks, adopting an assessment of existing safeguards, and many other factors.

Simply put, privacy regulators are looking for companies to take the initiative and responsibility for data protection. After years of passivity, the current regulatory landscape requires new levels of intentional, proactive data security.

#6 Financial penalties punish companies that don’t comply.
GDPR set a new standard for data privacy by promising steep financial penalties of up to €10 or 2% of a company’s global revenue after a first offense. US state laws have followed the lead, promising financial consequences for companies that don’t comply with their data security standards. With a maximum fine of $7,500, the CCPA relies on decidedly less harsh penalties, while the SHIELD Act can cost companies up to $250,000.

Data breaches are already incredibly costly, and they are expected to become even more expensive, in part because of the increasing common regulatory fines and penalties associated with a breach.

What It All Means 
Today’s regulatory landscape is diverse and multifaceted. Given the rapidly shifting consumer sentiment about data security, companies should expect that more data privacy standards will govern their activity in the future.

The costs of failure in this regard are steep. That’s why, at inTech, we’ve prepared tools to help you achieve and maintain compliance. With our tools and expertise, you can automate data privacy standards and documentation responsibilities, making compliance a simple, intuitive process for everyone.