← Glossary·Privacy

Breach Notification

GDPRHIPAACCPA

Legal duty to notify regulators and affected individuals after a security incident affecting personal data.

Breach Notification is the legal duty to notify regulators and affected individuals after a qualifying security incident. GDPR Art. 33 requires DPA notification within 72 hours; HIPAA Breach Notification Rule (§164.408) requires individual notification within 60 days and HHS notification (for breaches ≥500) ‘without unreasonable delay’.

Why it matters
Missing the 72-hour GDPR window itself becomes a separate Art. 83 fineable violation. State AG laws (e.g. California Civ Code §1798.82) layer on additional, often stricter, timelines.

Related terms

Incident Response (IR)
Documented, tested process for detecting, containing, eradicating, and recovering from security incidents.
HIPAA
US law protecting PHI; Privacy, Security, and Breach Notification Rules apply to covered entities and business associates.
GDPR
EU regulation governing processing of personal data of EU/EEA data subjects; fines up to €20M or 4% of global turnover.

Does your program actually cover Breach Notification?

Run a free ComplianceIQ audit against GDPR and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free GDPR auditBack to glossary