Personal data breaches at EU-regulated issuers can lead to an interesting interplay between the disclosure obligations under the General Data Protection Regulation (GDPR) and the Market Abuse Regulation (MAR).
Even though there is no insurmountable conflict between the two regulations, ensuring compliance with both in the often tense circumstances and short time span between the internal discovery of a mass data breach and its disclosure to the public can be challenging and will require proper coordination among all actors involved within the company’s organizational structure.