General Data Protection Regulation (GDPR) —
A regulation pertaining to data privacy that was passed by the European
Union and that went into effect in May 2018. GDPR is aimed at improving
security and enforcing notification requirements for all companies processing
personal data for persons residing in the European Union, regardless of the
company's location. GDPR states that businesses can be fined "up to 4%
of annual global turnover or €20 million (whichever is greater)" for the
most serious violations.
The GDPR makes notification of data breaches mandatory within 72 hours of a
business becoming aware of the breach and when it is likely to result in a
substantial risk to affected individuals.
Any business operating in Europe or that has European users or
customers—regardless of where the company itself is headquartered—must
abide by GDPR. Since Standard & Poor's 500 US companies generate
roughly one-seventh of their revenue in Europe, GDPR remains significant even
in the United States.