The General Data Protection Regulation (GDPR): Impact on US Organizations and software development

Image for post
Image for post
  1. Risk of harm threshold for reporting: “Only those that pose a risk of harm to individuals’ “rights and freedoms” must be reported, a concept mostly nonexistent in US data-breach laws.”
  2. Safe harbor for strong security measures: “In the US model, the safe harbor for non-reporting is generally limited to data that is encrypted in storage and transit”
  3. The timing of the notifications: “In the United States, companies experiencing a notifiable data breach must generally notify affected individuals in an expedient manner, with a small handful of jurisdictions requiring definite timetables ranging from five to 30 days”
  4. Recipients of the notifications: “The US model centers on the notification of affected individuals, with many state attorneys general and federal agencies adding mandatory notification of them”
  5. The content of the notifications: “Several US states and some federal agencies specify what companies should and shouldn’t include in data-breach notification letters. The GDPR establishes a common standard that doesn’t exist in the United States”
  6. No credit-monitoring expectation: “While US laws don’t require companies to offer remedies such as credit monitoring to individuals affected by a data breach”
  7. No “walls of shame” yet: The US maintains a public-facing website that includes the data breaches that are reported. The GDPR does not require similar websites.
  8. Obligations for processors to notify: “In the US model, the burden of holding third parties accountable for providing timely notification of breaches to their clients falls largely on the clients’ contracting and vendor-management processes
  9. Post-mortem documentation: “US privacy incident-response playbooks often include a post-mortem process for continuous improvement as a matter of best practice” (PricewaterhouseCoopers, 2016).
  • A notice sent from the organization of data breaches within 72 hours of the breach,
  • Clarify data policies and ensure the language is transparent and understood by an average person,
  • The organization should hire a Chief Data Officer (or similar function) as a point of responsibility,
  • Follow “privacy by design” principles in software design, which pairs secure software methods side-by-side with traditional development methods.

Dr. Ron McFarland, CISSP, PMP guest blogger at Highervista, LLC (email:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store