RFID and US Privacy & Data Destruction Laws


The General Data Protection Regulation (GDPR) 2016/679 is the new data protection law, brought into effect in the EU and EU members in May 2018. The law replaces the 1995 EU Data Protection Directive and brings into effect a standardized data protection law across all 28 EU countries.

The new regulation focuses on the privacy rights of individuals, and the rights around the control, use and protection of Personally Identifiable Information (PII). GDPR is designed to harmonize data privacy laws across Europe. The law was instituted to protect and empower all EU citizen’s data privacy and to reshape the way organizations approach data privacy.



General Data Protection Regulation (GDPR) and the United States Privacy Laws

Since the General Data Protection Regulation (GDPR) came into effect in Europe, businesses in the United States that have been seemingly affected by the recent regulations and others making a case for consumer protection rights have increasingly adopted the GDPR guidelines.

Consumer rights protection laws/privacy laws exist in the United States, but the level of protection enjoyed by consumers in Europe is absent in the United States and this is largely due to the lack of credible legislation that governs consumer data protection rights.

With that said, at least 34 states and Puerto Rico have enacted laws that require business and governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or undecipherable.

For companies in the United States that do not fall under the statutes of the law, the law has no binding effect, but the drive in Europe has served as a rude awakening for consumers in the United States. While several lawsuits have been filed, civil rights movements continue to lobby and make cases in favour of more strict rules in consumer data protection.

GDPR and US Privacy Laws; How They Differ

The GDPR and the US privacy laws significantly differ on various fronts. For US multi-national companies to remain compliant, they will need to make significant updates to their US privacy incident-response playbook.

The GDPR model is an entirely new framework!

The laws differ in the area of definition of major data protection terms, the extent of monitoring, the level of reportage in the case of a data breach and functions such as the obligations of processors to notify the user in the case of breaches amongst others.

Final Note

The majority of states in the US have enacted individual privacy and data protection laws, and the advent of the GDPR has spurred ratifying a similar act on a federal level - especially as states like California are following in the footsteps of the European Union.

Companies and Government entities in the US need to have strong data destruction policies in place, to protect their clients, customers and themselves today and in the coming months.

Secure destruction of documents and hard-drives are familiar to most companies, but RFID secure destruction is largely unknown and presents specific challenges to standard destruction procedures.

  • Erasing an RFID card is often not sufficient
    Most RFID cards have sectors that are read only, one-time-writable, or irreversible: meaning data cannot be revoked electronically.

  • Shredding or cutting is not sufficient
    Shredding or cutting an RFID card will break the antenna, but the chip that stores the data is unaffected. Attaching a new antenna will allow the card's data to be read again.

To date, the only system that can securely disable RFID cards is the NFC Kill.



    Get serious about data security.

    Disable and dispose of confidential RFID information securely.

    The NFC Kill Protects your data, your customers and your clients.

    Buy Now