Data Breaches and GDPR: What You Need to Know

The European Union’s (EU) General Data Protection Regulation (GDPR) is now in effect and applies to any data controller or processor – wherever they are located – who supply goods or services to data subjects within the EU. U.S. based companies who fall within GDPR’s purview must understand its data breach response requirements and incorporate its standards into their incident response policies and procedures.

Under GDPR, the data controller is the person or entity who “determines the purposes and means” of the processing of personal data. The data processor is the person or entity that processes personal data on behalf of the controller. “Processing” has an extremely broad definition under GDPR, encompassing virtually any interaction with personal data. The data subject is always a natural person, not a corporation or other entity. In a typical case, the company is the controller, the service provider is the processor and the company’s individual employees, contactors, customers and agents are the data subjects.

The following describes four key concepts under the regulation and how they differ from similar concepts under US law.

Under the GDPR, the definition of “data breach” is broader than under U.S. state data breach laws:

The definition of “personal data” is broader under GDPR than under current US law. Personal data is defined by GDPR to mean “any information relating to an identified or identifiable natural person…” By contrast, many U.S. state data breach laws define the data covered by the data breach notification requirement in a more limited way, for example, as only first name or initial and last name, plus some kind of specific identification or account number, or access code, as well as user name or email address, in combination with a password or security question and answer. (See, e.g., Cal. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Privacy Team. Read the original post at: