Tag: GDPR

November 8, 2021

CLTC Request for Proposals:

Comparing Effects of and Responses to GDPR and CCPA/CPRA

The Center for Long-Term Cybersecurity at UC Berkeley is hosting its second interdisciplinary symposium on July 29, 2022 to examine and compare how various stakeholders (including firms and consumers) have responded to the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)….

October 28, 2020

CLTC Call for Proposals:

Comparing Effects and Responses to GDPR and CCPA

The Center for Long-Term Cybersecurity at UC Berkeley is hosting an interdisciplinary workshop on July 30, 2021 to examine and compare how firms and consumers have responded to the E.U.’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). This RFP seeks proposals to conduct scholarly inquiry…

May 16, 2018

CLTC Research: American Companies Struggle to Meet GDPR’s Data Breach Notification Rules

On May 25, 2018, Europe’s General Data Protection Regulation (GDPR) will come into effect following a two-year implementation period. Among the regulations outlined in the GDPR, the data breach notification requirement is likely to be particularly problematic for American companies. Article 33 of the GDPR sets the deadline for data breach notification at 72 hours, and any delay beyond that must be accompanied by an explanation. Companies that fail to comply with this requirement face potentially massive fines: up to 4% of annual revenues or 20 million Euros. According to research by the UC Berkeley Center for Long-Term Cybersecurity, most companies fall far short of the GDPR’s requirements in their standard notification practice. In only 9.1% of the breach incidents we analyzed did companies comply with the GDPR’s 72-hour requirement. Around two thirds (67.5%) provided notification within deadlines set by state privacy laws, but the leap from 45 days to 72 hours is significant, and the broad application of the GDPR sets a de facto standard for data breach reporting that companies will be hard-pressed to meet.