Companies Can Still Craft Data Breach Plans for GDPR

The EU’s major data privacy overhaul has legal departments making last-minute tweaks

The grace period is winding down on a massive data security regulation that is front-of-mind for many U.S. in-house counsel.

The European Union’s General Data Protection Regulation, or GDPR, is a broad slate of requirements on how entities must handle EU citizens’ personal data, including breach notifi -cation requirements, data protection standards and user consent. The GDPR will become enforceable May 25, ending a two-year compliance period for data-handling organizations to get up to speed.

Even at this late stage, there’s still much that companies can accomplish in complying with the GDPR, including developing plans on how they will respond in case of a data breach involving EU citizens’ personal information.

U.S. companies that do business in Europe, or process data for companies that do, are likely subject to the GDPR and its range of regulations. The cost of noncompliance can be staggering. “Upper-level” GDPR infringements carry a maximum penalty of EUR 20 million ($23.6 million) or 4 percent of the company’s global revenue from the previous year, whichever is higher.

To read this story and other complete articles featured in the April 16, 2017 print edition of Law Week Colorado, copies are available for purchase online.