Could parent entities – typically shielded from liability for the actions of their subsidiaries – find themselves increasingly liable under the GDPR? In the E.U., competition law leverages the concept of an “undertaking” to significantly lower the threshold for holding parents liable, and it appears the GDPR may do this as well if the competent Data Protection Authorities pursue the same tack with GDPR violations by parent companies as the European Commission has with competition law violations. This first article in a three-part series describes this increased risk, as well as certain ramifications parent entities could face, such as reputational risk, fines and civil damages. The second article will explain the rebuttable presumption that a parent sponsor exerts decisive influence over the commercial policy of its subsidiary, along with common misconceptions shared by parent entities and others about ways to mitigate this risk. The final article will prescribe measures parent entities can adopt before and after acquiring a portfolio company to mitigate the risk of E.U. parental liability. See “How Private Equity Firms Can Mitigate Portfolio Company Cybersecurity Risk” (Mar. 26, 2019).