Global Data Breach Notification Requirements Compared
A comparison of data breach notification requirements across major jurisdictions including the EU, US, UK, Canada, Australia, and Brazil.
Why Breach Notification Timelines Matter
When a data breach occurs, the clock starts immediately. Different jurisdictions impose different notification deadlines, recipient requirements, and content standards. Organizations operating across borders must understand these variations to respond quickly and avoid compounding a security incident with regulatory penalties.
This guide compares breach notification requirements across six major jurisdictions to help you build a response framework that satisfies all applicable laws.
Notification Requirements by Jurisdiction
European Union (GDPR)
| Requirement | Details |
|---|---|
| Notification to authority | Within 72 hours of becoming aware of the breach |
| Notification to individuals | Without undue delay when high risk to rights and freedoms |
| Authority to notify | Lead supervisory authority (based on main establishment) |
| Content required | Nature of breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed |
| Exceptions | No notification to authority if breach is unlikely to result in a risk. No notification to individuals if technical measures render data unintelligible, or if subsequent measures eliminate the high risk |
The 72-hour clock begins when the controller becomes "aware" of the breach -- meaning when the controller has a reasonable degree of certainty that a security incident has occurred that has compromised personal data.
United States
The US has no single federal breach notification law. Instead, all 50 states plus territories have individual breach notification statutes.
Key variations across states:
- Notification timeline: Ranges from 30 days (Colorado, Florida) to 60 days (most states with specific deadlines) to "most expedient time possible" (California, New York)
- Definition of personal information: Varies by state but generally includes name combined with SSN, driver's license number, or financial account information
- Attorney General notification: Required in most states, with varying thresholds (often 250 to 1,000 affected residents)
- Sector-specific rules: HIPAA (healthcare) requires notification within 60 days; federal banking regulators require notification within 36 hours for certain incidents
United Kingdom
| Requirement | Details |
|---|---|
| Notification to ICO | Within 72 hours of becoming aware (mirrors GDPR) |
| Notification to individuals | Without undue delay when high risk |
| Content required | Similar to GDPR requirements |
| Reporting method | Through the ICO's online breach reporting tool |
Post-Brexit, the UK GDPR maintains breach notification requirements that closely mirror the EU GDPR.
Canada (PIPEDA and Provincial Laws)
| Requirement | Details |
|---|---|
| Notification to Privacy Commissioner | As soon as feasible after determining a breach of security safeguards has occurred |
| Notification to individuals | As soon as feasible if the breach creates a real risk of significant harm |
| Notification timeline | No specific hour deadline, but "as soon as feasible" |
| Record keeping | Must maintain records of all breaches for 24 months |
Quebec's Law 25 imposes additional requirements, including notification to the Commission d'acces a l'information and potentially stricter timelines.
Australia (Notifiable Data Breaches Scheme)
| Requirement | Details |
|---|---|
| Notification to OAIC | As soon as practicable after becoming aware of an eligible data breach |
| Notification to individuals | As soon as practicable |
| Assessment period | 30 days to assess whether a suspected breach qualifies as eligible |
| Content required | Description of the breach, types of information involved, recommended steps for individuals |
An "eligible data breach" is one likely to result in serious harm to affected individuals.
Brazil (LGPD)
| Requirement | Details |
|---|---|
| Notification to ANPD | Within a reasonable timeframe (ANPD has recommended 2 business days, though not formally codified in all situations) |
| Notification to individuals | When the breach may cause relevant risk or harm |
| Content required | Nature of affected data, information about data subjects, security measures, risks, and remediation measures |
Building a Multi-Jurisdiction Notification Framework
Step 1: Establish a Breach Detection and Assessment Process
- Deploy monitoring and alerting systems across all data repositories
- Define what constitutes "awareness" of a breach for your organization
- Create triage criteria to quickly assess severity, scope, and applicable jurisdictions
Step 2: Map Data Subjects to Jurisdictions
Before a breach happens, know where your data subjects are located. Your data mapping exercise (see our guide on GDPR data mapping) should already tell you:
- Which regions' personal data is stored in which systems
- Which jurisdictions' notification laws apply to each data set
- Who the relevant supervisory authorities are
Step 3: Prepare Notification Templates
Draft templates in advance for:
- Supervisory authority notifications (customized per jurisdiction)
- Individual notifications (in relevant languages)
- Attorney General or sector regulator notifications (for US operations)
- Press releases (for large-scale breaches)
Step 4: Default to the Strictest Timeline
When a breach affects data subjects in multiple jurisdictions, default to the strictest applicable timeline. In practice, this usually means:
- Begin supervisory authority notification within 72 hours (GDPR/UK standard)
- Begin individual notification as soon as you have enough information to provide meaningful guidance
- File state-level notifications according to each state's specific requirements
Step 5: Document Everything
Regardless of jurisdiction, maintain detailed records of:
- When the breach was detected and by whom
- The timeline of the investigation and assessment
- Decisions made about notification (including decisions not to notify, with reasoning)
- Content of all notifications sent
- Remediation measures implemented
Quick Reference: Notification Deadlines
| Jurisdiction | Authority Notification | Individual Notification |
|---|---|---|
| EU (GDPR) | 72 hours | Without undue delay (high risk) |
| UK | 72 hours | Without undue delay (high risk) |
| US (varies) | 30-60 days (most states) | 30-60 days (most states) |
| Canada | As soon as feasible | As soon as feasible (significant harm) |
| Australia | As soon as practicable | As soon as practicable (serious harm) |
| Brazil | Reasonable timeframe (approx. 2 business days recommended) | When relevant risk exists |
Reducing Breach Notification Complexity
The complexity of breach notification rises with the number of jurisdictions involved. If personal data from EU residents is stored on servers in four different countries, a single breach may trigger notification obligations in all of those jurisdictions simultaneously.
One effective strategy is to reduce the geographic spread of data storage. Platforms like GlobalDataShield enforce data residency at the infrastructure level, ensuring that personal data stays within defined geographic boundaries. When a breach occurs, this containment simplifies the jurisdictional analysis and reduces the number of parallel notification processes your team must manage.
Ready to Solve Data Residency?
Get started with GlobalDataShield - compliant document hosting, ready when you are.