News, Events, and Publications

May 16, 2018
CLTC Research: American Companies Struggle to Meet GDPR’s Data Breach Notification Rules

On May 25, 2018, Europe’s General Data Protection Regulation (GDPR) will come into effect following a two-year implementation period. Among the regulations outlined in the GDPR, the data breach notification requirement is likely to be particularly problematic for American companies. Article 33 of the GDPR sets the deadline for data breach notification at 72 hours, and any delay beyond that must be accompanied by an explanation. Companies that fail to comply with this requirement face potentially massive fines: up to 4% of annual revenues or 20 million Euros. According to research by the UC Berkeley Center for Long-Term Cybersecurity, most companies fall far short of the GDPR’s requirements in their standard notification practice. In only 9.1% of the breach incidents we analyzed did companies comply with the GDPR’s 72-hour requirement. Around two thirds (67.5%) provided notification within deadlines set by state privacy laws, but the leap from 45 days to 72 hours is significant, and the broad application of the GDPR sets a de facto standard for data breach reporting that companies will be hard-pressed to meet.