GDPR is aimed at improving security and enforcing notification requirements for all companies processing personal data for persons residing in the European Union, regardless of the company's location. GDPR states that businesses can be fined "up to 4% of annual global turnover or €20 million (whichever is greater)" for the most serious violations. The GDPR makes notification of data breaches mandatory within 72 hours of a business becoming aware of the breach and when it is likely to result in a substantial risk to affected individuals. Any business operating in Europe or that has European users or customers—regardless of where the company itself is headquartered—must abide by GDPR. Since S&P's 500 US companies generate roughly one-seventh of their revenue in Europe, GDPR remains significant even in the United States.