Personal data breach notification process
breach-notification-processDomain: data-privacyType: processDescription
A breach-notification process is the operational system that runs after the security team identifies a personal-data incident, against a regulatory clock that started the moment the incident was detected (or reasonably should have been). The clock running before the assessment finishes is the structurally distinctive feature of this control: the assessment workflow operates under uncertainty rather than waiting for clean answers, and the trade-off between filing precautionarily into the FIU or supervisory-authority queue versus filing late once the picture clarifies is the single most-litigated decision in the post-incident timeline. A working breach-notification process decomposes into six layers. Detection signals (SIEM alerts, anomaly-detection outputs, vendor-side incident notifications, customer reports, leaked-credential monitoring) feed an intake queue with clear ownership. An assessment workflow decides whether the incident meets the regulatory threshold for notification; most modern privacy laws use a risk-of-harm test rather than a presence-of-data-loss test, and the resulting judgment call (severity, likelihood, affected population scope, identifiability of the data, mitigating factors like encryption-at-rest that may shift the analysis) is documented contemporaneously regardless of whether the final answer ends up being to notify. Containment and remediation runs in parallel rather than waiting for the assessment to complete. Supervisory-authority notification flows through the FIU or DPA the jurisdiction requires. Data-subject notification follows when the threshold is met. An audit log documents every step for the inevitable post-incident review. The operational trade-off pressure is that under-notification draws regulatory penalties and over-notification draws customer-trust costs plus risks regulator fatigue, and the assessment workflow is where the documented reasoning has to be strong enough to survive scrutiny in either direction. The statutory timeline anchors vary materially by jurisdiction and the operator typically maps to the strictest applicable. GDPR Article 33 requires DPA notification within 72 hours of awareness, with Article 34 requiring affected-individual notification when the breach is likely to result in high risk to their rights and freedoms. LGPD Article 48 requires ANPD notification of incidents that may cause relevant risk or damage, without a hard hours-count but with regulatory guidance toward a reasonable promptness floor. PIPL Article 57 requires immediate notification to authorities and affected individuals. CCPA layers AG breach-disclosure obligations on California Civil Code §1798.82. The Australian Privacy Act 1988 notifiable-data-breach scheme, Singapore PDPA, Thailand PDPA, Vietnam PDPD, UAE Data Protection Law, KVKK, Saudi PDPL, South Africa POPIA, PIPEDA in Canada, Japan APPI Article 26, China CSL, India DPDPA, and the US state laws (including Tennessee IPA) each impose parallel notification regimes with their own thresholds, windows, and notification recipients. Evidence formats that satisfy a regulator inquiry include the incident-response plan, the breach register, the notification templates that were dispatched, and the tabletop-exercise records that show the program was rehearsed before any real incident landed.
Required by (21 regulations)
- APPI
Act on the Protection of Personal Information (Act No. 57 of 2003, as amended by Act No. 44 of 2020, effective April 1, 2022)
- CCPA/CPRA
AG breach disclosure obligations (separately under California Civil Code §1798.82).
Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102
- CSL
Cybersecurity Law of the People's Republic of China (adopted November 7, 2016, effective June 1, 2017)
- DPDPA
Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023
- GDPR
Article 33 — DPA notification within 72 hours of awareness; Article 34 — affected individual notification when high risk.
Regulation (EU) 2016/679 of the European Parliament and of the Council
- LGPD
Article 48 — ANPD notification of incidents that may cause relevant risk or damage.
Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)
- PIPEDA
S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)
- PIPL
Article 57 — immediate notification to authorities and individuals.
Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)
- Privacy Act
Privacy Act 1988 (Cth), No. 119 of 1988
- PDPL
Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023
- Singapore PDPA
- POPIA
- Tennessee IPA
- Thailand PDPA
- KVKK
- UAE Data Protection Law
- Vietnam PDPD
- EU CRA
Backs the CRA Article 14 notification obligation to ENISA and the relevant CSIRT for actively exploited vulnerabilities and severe incidents.
Regulation (EU) 2024/2847 (Cyber Resilience Act)
- Chile Law 19.628
Chile's data-protection regime requires notification of security incidents affecting personal data.
Ley N° 19.628 sobre Protección de la Vida Privada (1999); to be substantially superseded by Ley N° 21.719 (2024) effective 2026-12-01
- China CIIPA
China CIIPA requires reporting of security incidents affecting critical information infrastructure.
Regulations on the Security Protection of Critical Information Infrastructure (State Council Order No. 745); implementing Cybersecurity Law Articles 31-39
- UK GDPR
UK GDPR Articles 33-34 require breach notification to the ICO and, where high risk, to affected data subjects.
Fulfilled by (2)
- onetrust · partial · medium effort · $$
- In-house build · medium effort
Magist does not accept payment from vendors. Methodology.
Evidence formats
- incident response plan
- breach register
- notification templates
- tabletop exercise records