Reference · 17 Jurisdictions
Global Breach Notification Matrix
A side-by-side reference for security and privacy leaders managing multi-jurisdiction incidents. Includes regulator clocks, individual-notification expectations, and the triggers that start them.
Reference only — confirm specifics with counsel before relying on any clock. Regulations evolve.
| Jurisdiction | Regulator | Regulator clock | Individual clock | Trigger |
|---|---|---|---|---|
| European Union (GDPR) | Lead supervisory authority | ≤ 72 hours after becoming aware | Without undue delay if high risk | Personal data breach (confidentiality, integrity, or availability). |
| United Kingdom (UK GDPR / DPA 2018) | Information Commissioner's Office (ICO) | ≤ 72 hours after awareness | Without undue delay if high risk | Personal data breach as defined under UK GDPR. |
| European Union (NIS2 — essential/important entities) | National CSIRT / competent authority | Early warning ≤ 24h · update ≤ 72h · report ≤ 1 month | Inform recipients of services if appropriate | Significant incident affecting service provision. |
| European Union (DORA — financial entities) | Competent financial authority | Initial, intermediate, and final reports per RTS | Inform clients when materially affected | Major ICT-related incident under DORA classification. |
| United States — HIPAA (PHI) | HHS Office for Civil Rights | ≤ 60 days (≥ 500 individuals) · annually for < 500 | ≤ 60 days from discovery | Breach of unsecured Protected Health Information. |
| United States — State laws (CCPA/CPRA and 49 others) | State attorneys general (varies) | Many require AG notice (often ≤ 30–60 days) | Without unreasonable delay; many ≤ 30–60 days | Acquisition of unencrypted personal information. |
| United States — SEC (public companies) | U.S. Securities and Exchange Commission | Form 8-K Item 1.05: ≤ 4 business days of materiality determination | Public disclosure | Material cybersecurity incident. |
| Canada (PIPEDA) | Office of the Privacy Commissioner | As soon as feasible after determining real risk of significant harm | As soon as feasible | Breach of security safeguards with real risk of significant harm. |
| Brazil (LGPD) | Autoridade Nacional de Proteção de Dados (ANPD) | Within a reasonable period (ANPD guidance: ≤ 3 business days) | Within reasonable period | Incident that may cause relevant risk or damage to data subjects. |
| Australia (Privacy Act — NDB scheme) | Office of the Australian Information Commissioner (OAIC) | As soon as practicable after assessment (assessment ≤ 30 days) | As soon as practicable | Eligible data breach likely to result in serious harm. |
| Singapore (PDPA) | Personal Data Protection Commission (PDPC) | ≤ 72 hours after assessing as notifiable | On or after notification to PDPC, where significant harm is likely | Significant scale (≥ 500 individuals) or significant harm. |
| Japan (APPI) | Personal Information Protection Commission (PPC) | Preliminary ≤ ~3–5 days · final ≤ 30 / 60 days | Promptly to affected individuals | Leak/loss of sensitive data, > 1,000 individuals, or unlawful purpose. |
| South Africa (POPIA) | Information Regulator | As soon as reasonably possible after discovery | As soon as reasonably possible | Reasonable grounds to believe personal information was accessed/acquired by an unauthorized person. |
| Nigeria (NDPR / NDPA) | Nigeria Data Protection Commission (NDPC) | ≤ 72 hours after becoming aware (or as soon as reasonably practicable) | Without undue delay where high risk to rights and freedoms | Personal data breach likely to result in high risk to the rights and freedoms of data subjects. |
| Kenya (Data Protection Act 2019) | Office of the Data Protection Commissioner (ODPC) | ≤ 72 hours after becoming aware (or as soon as reasonably practicable) | Without undue delay where high risk to rights and freedoms | Personal data breach likely to result in high risk to the rights and freedoms of data subjects. |
| Ghana (Data Protection Act 2012) | Data Protection Commission (DPC Ghana) | As soon as reasonably practicable after discovery | As soon as reasonably practicable where harm is likely | Unauthorized access, acquisition, or disclosure of personal data. |
| UAE (PDPL) | UAE Data Office | Without undue delay per executive regulations | When breach may cause direct prejudice to rights/privacy | Personal data breach affecting privacy, confidentiality, or security. |
Need a multi-jurisdiction IR playbook?
Dephiant designs notification workflows that pre-stage decisions across regulators, customers, and partners — so the right clocks start at the right moment, with the right approvals.