Compliance

Breach Notification

The legal obligation to inform authorities and affected individuals when a personal data breach occurs.

Breach notification is the legal requirement to inform relevant authorities and, in some cases, affected individuals, when a data breach involving personal data occurs.

GDPR Requirements

  • Supervisory authority: notify within 72 hours of becoming aware of the breach (unless unlikely to result in a risk to individuals)
  • Data subjects: notify "without undue delay" if the breach is likely to result in a high risk to rights and freedoms
  • Content: must describe the nature of the breach, likely consequences, measures taken or proposed, and contact details of the DPO

CCPA/CPRA Requirements

Under CCPA, businesses must notify affected California residents if their unencrypted personal information is subject to a breach.

GDPR Articles 33–34.

Related Terms

Data BreachPrivacy

A security incident that leads to the unauthorized access, disclosure, or loss of personal data.

DPOPrivacy

Data Protection Officer — an independent expert responsible for monitoring an organisation's data protection compliance.

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

CCPALegal

The California Consumer Privacy Act — a US state law giving California residents control over their personal information.

Supervisory AuthorityLegal

An independent public authority responsible for monitoring the application of data protection law in its jurisdiction.

Binding Corporate Rules