The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: Does the GDPR data breach notification provision cover the same type of data as United States data breach notification provisions?
Answer: No. In the United States almost every state and federal territory has its own data breach notification law. In addition there are several federal breach notification laws with national applicability that apply to specific industry sectors. Almost all of the United States breach notification laws apply only to enumerated categories of sensitive information (such as Social Security Numbers, driver’s license numbers, health information, or financial account numbers).
The GDPR breach notification provision has a far broader scope. It potentially applies to any data breach that involves “personal data.” That term is defined as including any information relating to an identified or identifiable person. As a result theoretically a loss of personal data as innocuous as a list of names could trigger a notification obligation in Europe; in comparison such a breach would rarely if ever trigger a notification obligation in the United States.