Data Breach Notification
The legal requirement to report data breaches to supervisory authorities and affected individuals within specified timeframes.
Data breach notification is the obligation for organizations to inform relevant authorities and affected individuals when a personal data breach occurs. Under the GDPR, controllers must notify the supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms (Article 33). If the breach is likely to result in high risk, the controller must also inform affected individuals without undue delay (Article 34). The notification must describe the nature of the breach, approximate number of individuals and records affected, likely consequences, and measures taken or proposed to address the breach.
Other regulations have varying notification requirements. The CCPA requires notification to affected California residents if their unencrypted personal information is compromised. PIPEDA requires notification to the Privacy Commissioner of Canada and affected individuals for breaches creating a real risk of significant harm. Brazil’s LGPD requires notification to the ANPD and data subjects for breaches that may create risk or harm. Organizations operating across multiple jurisdictions must track and comply with the most stringent applicable notification requirements.