GDPR Makes The EU’s Regulatory Reach Global

The European General Data Protection Regulation expands the scope of the EU’s data privacy regulatory framework to cover companies that maintain personal data of employees or others residing in the EU, regardless of the company’s location, and penalties can be severe. Whether in Europe, the United States or most other jurisdictions, any breach of the GDPR’s provisions concerning the requirement to give notice of a data breach could trigger an administrative penalty of up to four percent of the company’s annual global revenues or €20 million, whichever is greater, and the company may also be exposed to civil claims. This Today’s General Counsel article discusses how the GDPR may apply in a number of international jurisdictions, and with that in mind suggests five steps a company – in particular a multinational company doing business in Europe or a conducting business involving individuals based in Europe – should take in the event of a data breach.