Guiding a multinational through a data breach

We were engaged by a multinational to provide legal assistance in a cross-border data breach.

When a data breach occurs, controllers and processors have to act quickly and decisively to mitigate its impact and risks. If they don’t, potential consequences include legal threats from Data Protection Authorities (DPAs) in the form of enforcement and fines, as well as mass claims from data subjects. Just as significantly, there might be serious reputational damage.

In this case our client faced a considerable personal data breach involving sensitive consumer personal data. We were engaged to assist with investigating the cause, scope and impact of the breach and creating a legal and practical strategy with the client.

To establish the cause, scope and impact of the data breach we collaborated with stakeholders including IT and cybersecurity experts, as well as cross-border offices and counsels. As our investigation progressed, the sheer size, complexity and impact of the breach became clearer. With every piece of new information that emerged we had to adjust our strategy and the legal and risk analysis to ensure both remained accurate. When it became necessary, we assisted the client with updating the notification to the DPAs.

The breach affected a large number of data subjects in various jurisdictions. As the client’s headquarters are located in The Netherlands, we took on the leading role in the notification process, and where necessary, we aligned with cross-border offices to help them with notifying their local DPA.

In addition, we assisted our client with making the decision to inform the data subjects and reviewing the notices they were sent. This is necessary when there is a high risk to an individual’s fundamental rights and freedoms (including, but not limited to, the right to privacy and data protection). Our clear and concise assessment of the breach helped internal stakeholders to make an informed decision on this situation in a timely manner.

The client appreciated our abilities to understand a complex technical data breach, provide clear and concise legal and risk analyses, and work fast and effectively within an extremely condensed timeframe.

Please do not hesitate to contact us if you have any questions.

Private sector

Team Members