Data Breach Notification Requirements: A Multi-Jurisdiction Compliance Guide

A Breach Has Happened. Now What?

A personal data breach can happen to any business — a misdirected email, a stolen laptop, a ransomware attack, or a compromised database. When it does, most privacy laws require you to act fast: assess the breach, notify the relevant authorities, and in many cases, tell the affected individuals. The timelines are tight, the requirements are specific, and getting it wrong can turn a manageable incident into a regulatory enforcement action.

This guide covers breach notification requirements under the GDPR, UK GDPR, CCPA, PIPEDA, US state laws, and the Australian Notifiable Data Breaches scheme. For an in-depth look at the Australian scheme specifically, see our Australian NDB scheme guide.

What Is a Personal Data Breach?

GDPR Article 4(12) defines a personal data breach as:

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

This is broader than most people expect. A data breach is not limited to hackers breaking into your systems. It includes any security incident that affects the confidentiality, integrity, or availability of personal data.

Three Types of Breach

| Type | Description | Examples | |---|---|---| | Confidentiality breach | Unauthorised or accidental disclosure of, or access to, personal data | Email sent to the wrong recipient; database accessed by an unauthorised employee; data published online accidentally | | Integrity breach | Unauthorised or accidental alteration of personal data | Records modified by malware; database corruption that changes personal data; accidental overwriting of records | | Availability breach | Accidental or unauthorised loss of access to personal data | Ransomware encrypting a database; permanent loss of data without backup; hardware failure destroying records |

A single incident can involve more than one type. A ransomware attack, for example, is typically both a confidentiality breach (the attacker accessed the data) and an availability breach (the data is now encrypted and inaccessible).

It is also important to note that a breach does not need to involve malicious intent. Accidentally emailing a spreadsheet of customer data to the wrong person is a breach. Losing an unencrypted USB drive is a breach. Deleting records you were supposed to retain is a breach.

GDPR Breach Notification Requirements

The GDPR sets the global benchmark for breach notification. It imposes two separate notification obligations: one to the supervisory authority and one to affected individuals.

Notification to the Supervisory Authority (Article 33)

Under GDPR Article 33, you must notify the relevant supervisory authority (the ICO in the UK, the CNIL in France, the DPC in Ireland, etc.) of a personal data breach within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

The 72-hour clock starts when you become "aware" of the breach. The European Data Protection Board (EDPB) has clarified that awareness means the moment you have a reasonable degree of certainty that a security incident has compromised personal data. You cannot claim ignorance by failing to investigate — if you should have known, the clock is running.

Your notification must include:

1. The nature of the breach — including, where possible, the categories and approximate number of data subjects affected, and the categories and approximate number of personal data records concerned
2. The name and contact details of the DPO (or other contact point for more information)
3. A description of the likely consequences of the breach
4. A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

If you cannot provide all this information within 72 hours, you can provide it in phases — but you must explain the reasons for the delay.

Notification to Individuals (Article 34)

Under GDPR Article 34, you must also notify the affected individuals when the breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than the notification to the supervisory authority (which requires any risk, not just high risk).

The notification to individuals must:

• Be in clear and plain language
• Describe the nature of the breach
• Provide the DPO's contact details
• Describe the likely consequences
• Describe the measures taken or proposed to address the breach and mitigate its effects

You do not need to notify individuals if:

• You have implemented appropriate technical and organisational protection measures (such as encryption) that render the data unintelligible to unauthorised persons
• You have taken subsequent measures that ensure the high risk is no longer likely to materialise
• Individual notification would involve disproportionate effort — in which case, you must make a public communication or similar measure instead

UK GDPR: Same Framework, Same Timeline

The UK GDPR mirrors the EU GDPR on breach notification. You must notify the ICO within 72 hours when there is a risk to individuals, and notify affected individuals when there is a high risk. The ICO provides an online breach reporting tool on its website, and it accepts phone notifications for urgent breaches outside office hours.

CCPA Breach Notification

The CCPA's approach to breach notification is different from the GDPR in important ways.

No Proactive Notification to the Attorney General for All Breaches

Unlike the GDPR, the CCPA does not require you to proactively report every breach to the California Attorney General. However, California's separate breach notification law (Cal. Civ. Code § 1798.82) does require notification to the Attorney General when a breach affects more than 500 California residents.

Notification to Affected Individuals

California Civil Code § 1798.82 requires that any business conducting business in California that owns or licenses computerised personal information must disclose a breach of the security of the system to affected California residents. The notification must be made in the "most expedient time possible and without unreasonable delay." There is no fixed hour or day deadline — but regulators expect prompt action.

The notification must include:

• The name and contact information of the notifying entity
• The categories of information that were or are reasonably believed to have been compromised
• The date, estimated date, or date range of the breach (if known)
• Whether notification was delayed due to a law enforcement investigation
• A general description of the breach incident
• The toll-free numbers, addresses, and websites of the major credit reporting agencies (if the breach involves Social Security numbers, driver's licence numbers, or California ID numbers)
• If the breach involves credentials, advice to change passwords

CCPA Private Right of Action

Separately, CCPA § 1798.150 gives consumers a private right of action for data breaches involving certain categories of unencrypted or non-redacted personal information (such as Social Security numbers, driver's licence numbers, financial account numbers, medical information, or health insurance information). Statutory damages range from $100 to $750 per consumer per incident, or actual damages — whichever is greater. This private right of action has driven significant breach litigation in California.

PIPEDA Breach Notification (Canada)

Since November 1, 2018, PIPEDA's breach notification provisions (Division 1.1 of Part 1) have required organisations to:

1. Report to the OPC

Report any breach of security safeguards involving personal information to the Office of the Privacy Commissioner of Canada (OPC) if the breach creates a real risk of significant harm (RROSH) to any individual. "Significant harm" includes bodily harm, humiliation, damage to reputation or relationships, loss of employment or business opportunities, financial loss, identity theft, negative effects on credit record, and damage to or loss of property.

When assessing whether a real risk of significant harm exists, you must consider:

• The sensitivity of the personal information involved
• The probability that the information has been, is being, or will be misused

2. Notify Affected Individuals

If a breach poses a real risk of significant harm, you must notify the affected individuals. The notification must include:

• A description of the circumstances of the breach
• The day or period on which the breach occurred (or an approximation)
• A description of the personal information involved
• A description of what the organisation has done or intends to do to reduce the risk of harm
• A description of what the individual can do to reduce the risk of harm or mitigate that harm
• A toll-free number or email address the individual can use for more information
• Information about the individual's right to file a complaint with the OPC

3. Notify Other Organisations

You must notify any other organisation or government institution that you believe can reduce the risk of harm to the affected individual (for example, a bank if financial information was compromised).

4. Keep Records

PIPEDA requires you to keep a record of every breach of security safeguards involving personal information for at least 24 months — regardless of whether it met the RROSH threshold. The OPC can request access to these records at any time.

US State Breach Notification Laws

All 50 US states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have their own breach notification laws. These vary significantly:

| State | Timeline | Notable Features | |---|---|---| | California | Most expedient time possible, without unreasonable delay | AG notification for 500+ residents; private right of action under CCPA | | New York (SHIELD Act) | Most expedient time possible | Expanded definition of private information; broader security requirements | | Texas | Within 60 days | AG notification required for 250+ residents | | Florida | Within 30 days to individuals; within 30 days to AG | One of the shortest deadlines in the US | | Colorado | Within 30 days to individuals; within 30 days to AG | AG notification required for 500+ residents | | Virginia (VCDPA) | Without unreasonable delay, no later than 60 days | Aligned with the Virginia Consumer Data Protection Act | | Montana | Most expedient time possible | Notification to AG required regardless of number affected |

The patchwork of state laws means that a single breach affecting customers across multiple states can trigger different notification requirements in each one. Multi-state businesses need to track which laws apply to which affected individuals.

Australian Notifiable Data Breaches (NDB) Scheme

The Australian NDB scheme, in effect since February 22, 2018, requires entities covered by the Australian Privacy Act 1988 to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when a data breach is likely to result in serious harm. For a comprehensive guide to the Australian scheme, see our Australian NDB scheme guide.

Key features:

• Threshold: "Likely to result in serious harm" — considering the kind of information, sensitivity, whether it is protected by security measures, the persons who have obtained the information, and the nature of the harm
• Timeline: "As soon as practicable" after the assessment is complete. Organisations have 30 days to complete a reasonable assessment of whether a breach is notifiable.
• Who to notify: OAIC and affected individuals (or a public statement if individual notification is impracticable)

Multi-Jurisdiction Comparison

| Requirement | GDPR (EU/UK) | CCPA / California | PIPEDA (Canada) | Australian NDB | |---|---|---|---|---| | Notify authority | Within 72 hours | AG for 500+ residents affected | When RROSH threshold met | As soon as practicable | | Notify individuals | When high risk to rights/freedoms | Most expedient time, without unreasonable delay | When RROSH threshold met | When serious harm likely | | Threshold for notification | Risk (authority) / High risk (individuals) | Security breach of unencrypted PI | Real risk of significant harm | Likely to result in serious harm | | Record all breaches | Yes (Article 33(5)) | No general requirement | Yes, for 24 months | Yes | | Maximum penalties for failure | Up to EUR 10M or 2% of global turnover | AG enforcement; private right of action (USD 100–750/consumer) | Up to CAD 100,000 per violation | Up to AUD 50M for serious/repeated interferences |

What to Include in a Breach Notification: Checklist

Whether you are notifying a regulator or affected individuals, your notification should include:

To the Regulator

• [ ] Your organisation's name and contact details
• [ ] Name and contact details of the DPO (or relevant contact person)
• [ ] Date and time you became aware of the breach
• [ ] Date or date range when the breach occurred (if different from awareness date)
• [ ] Nature and description of the breach
• [ ] Categories of personal data affected
• [ ] Approximate number of individuals affected
• [ ] Approximate number of personal data records affected
• [ ] Likely consequences of the breach
• [ ] Measures taken or proposed to contain the breach
• [ ] Measures taken or proposed to mitigate harm to individuals
• [ ] Whether individuals have been notified (and if not, why not and when you plan to)
• [ ] Any cross-border implications

To Affected Individuals

• [ ] Clear, plain-language description of what happened
• [ ] What types of personal data were involved
• [ ] What you are doing about it
• [ ] What they can do to protect themselves (change passwords, monitor accounts, freeze credit, etc.)
• [ ] Contact details for questions (DPO, privacy team, or dedicated breach helpline)
• [ ] How to file a complaint with the relevant regulator
• [ ] If applicable: information about credit monitoring or identity theft protection services you are offering

Internal Breach Response Steps

A breach notification is only one part of your response. Here is the full internal process:

1. Contain

Stop the breach from continuing or expanding. This might mean:

• Revoking access for compromised accounts
• Isolating affected systems
• Shutting down a compromised server or application
• Recovering or remotely wiping lost devices

2. Assess

Determine the scope, severity, and risk:

• What personal data is affected?
• How many individuals are affected?
• What is the likely impact on those individuals?
• Does the breach meet the notification threshold for each applicable jurisdiction?

3. Notify

Based on your assessment:

• Notify the relevant regulator(s) within the applicable deadline
• Notify affected individuals if the risk threshold is met
• Notify other organisations (banks, law enforcement) if appropriate

4. Document

Even if the breach is not notifiable, record it. GDPR Article 33(5) requires you to document all breaches, including:

• The facts relating to the breach
• Its effects
• The remedial action taken

This record is subject to inspection by supervisory authorities. For detailed guidance on record-keeping, see our DSAR record keeping and audit trails guide.

5. Review

After the immediate response:

• Conduct a root cause analysis
• Update your security measures to prevent recurrence
• Review and update your breach response plan
• Consider whether staff training is needed
• Document lessons learned

The Relationship Between Breaches and DSARs

Data breaches and DSARs are closely connected in practice:

Breaches Trigger DSARs

When individuals learn their data has been compromised — either through your notification or through media coverage — they frequently submit DSARs to understand exactly what data was affected. You should anticipate an increase in DSAR volume following a breach notification and have capacity to handle it.

Breach Records Are Subject to DSARs

Your internal breach documentation, investigation records, and remediation plans may contain personal data about the affected individuals. A DSAR from an affected individual could require you to disclose parts of your breach records. However, you can apply exemptions where disclosure would prejudice an ongoing investigation or law enforcement activity. For more on exemptions, see our DSAR exemptions guide.

Previous DSARs Can Reveal Breaches

Sometimes, the process of responding to a DSAR uncovers a previously unknown breach — for example, discovering that personal data was accessible to unauthorised employees. If this happens, you must assess and handle the breach through your breach notification procedure, independent of the DSAR.

Penalties for Failure to Notify

Failure to comply with breach notification requirements can result in significant penalties:

| Jurisdiction | Maximum Penalty | |---|---| | GDPR (EU) | Up to EUR 10 million or 2% of annual global turnover (whichever is higher) — for breach notification failures specifically. Other GDPR violations can attract up to EUR 20 million or 4% of turnover. | | UK GDPR | Same framework as EU GDPR, enforced by the ICO. | | CCPA / California | Attorney General enforcement actions; private right of action with statutory damages of USD 100–750 per consumer per incident. | | PIPEDA (Canada) | Up to CAD 100,000 per violation for knowingly failing to report a breach, notify individuals, or maintain breach records. | | Australia | Up to AUD 50 million, three times the benefit obtained from the contravention, or 30% of domestic turnover (whichever is greatest) for serious or repeated interferences with privacy. |

Beyond financial penalties, failure to notify can result in reputational damage, loss of customer trust, and increased regulatory scrutiny for future incidents. Regulators consistently view cover-ups and delays more severely than the breach itself.

Common Mistakes

1. Waiting too long to start the clock. The 72-hour GDPR deadline starts when you become aware — not when you have finished your investigation. Begin your notification promptly and provide information in phases if needed.
2. Failing to document non-notifiable breaches. GDPR requires you to record all breaches, even those that do not meet the notification threshold. Keep a breach register.
3. Applying a single jurisdiction's rules. If your breach affects individuals in multiple jurisdictions, you must comply with each jurisdiction's notification requirements. A breach affecting EU, UK, and Australian customers triggers three separate sets of obligations.
4. Inadequate notification content. Vague notifications that say "we take your privacy seriously" without specific, actionable information do not meet legal requirements and damage trust.
5. Forgetting to notify individuals. Some organisations notify the regulator but fail to assess whether individual notification is also required. Both obligations exist independently.
6. Not having a breach response plan. When a breach occurs, you do not have time to figure out your obligations from scratch. Have a plan in place before you need it.

References

• GDPR: Article 4(12) — definition of personal data breach; Article 33 — notification to supervisory authority; Article 34 — notification to data subjects; Article 33(5) — documentation of breaches. GDPR Article 33 | GDPR Article 34
• CCPA: Cal. Civ. Code § 1798.150 — private right of action for breaches; Cal. Civ. Code § 1798.82 — breach notification requirements. CCPA text
• PIPEDA: Division 1.1 of Part 1 — breach of security safeguards. PIPEDA text | OPC breach guidance
• Australian Privacy Act 1988: Part IIIC — Notification of eligible data breaches. OAIC breach guidance
• EDPB Guidelines 01/2021 on examples regarding personal data breach notification, adopted 14 December 2021.