Global · Last reviewed April 2026

Data breach notification requirements: all jurisdictions (2026)

Deadlines, thresholds, and statutory citations for GDPR, UK GDPR, CCPA, PIPEDA, Australia NDB, India DPDP, UAE PDPL, LGPD, and Quebec Law 25.

P
PrivacyLawApplies.com Editorial Team
CAMS · AIGP (IAPP) · Reviewed April 2026
Key point: the 72-hour rule applies in multiple jurisdictions

GDPR, UK GDPR, India DPDP, UAE PDPL, and Quebec Law 25 all require regulator notification within 72 hours of becoming aware of a qualifying breach. The 72-hour clock starts when you have a reasonable degree of certainty that a breach has occurred — not when the breach first happened.

What is a data breach notification obligation?

A data breach notification obligation is a legal requirement to inform regulators and/or affected individuals when personal data has been accessed, disclosed, altered, lost, or destroyed without authorisation. Nearly every major privacy law now includes one, though the specific deadlines, thresholds, and recipients vary significantly between jurisdictions.

For businesses operating across multiple markets, the practical challenge is understanding which obligation triggers first and what level of harm is required before the notification clock starts. A breach affecting EU users, UK users, Canadian users, and Australian users simultaneously could trigger four separate notification regimes — each with different deadlines, thresholds, and regulators.

This guide sets out the breach notification requirements under all major privacy laws, with statutory citations, in a single reference. It covers who to notify, when, and under what circumstances.

Breach notification deadline comparison table

GDPR
EU/EEA
72 hours
Individual deadline
Without undue delay (when high risk)
Threshold
Any breach likely to result in risk to individuals
Art. 33–34 GDPR
UK GDPR
United Kingdom
72 hours
Individual deadline
Without undue delay (when high risk)
Threshold
Any breach likely to result in risk to individuals
Art. 33–34 UK GDPR
No fixed deadline — "most expedient time possible"
Individual deadline
Without unreasonable delay
Threshold
Unauthorised access to unencrypted personal information
Cal. Civ. Code §1798.82 (state breach law) + Cal. Civ. Code §1798.150 (CCPA private right of action)
PIPEDA
Canada (federal)
As soon as feasible
Individual deadline
As soon as feasible (when real risk of significant harm)
Threshold
Real risk of significant harm (RROSH) to an individual
PIPEDA s.10.1, Breach of Security Safeguards Regulations SOR/2018-64
Quebec Law 25
Quebec, Canada
72 hours
Individual deadline
Without delay (when risk of serious injury)
Threshold
Risk of serious injury to affected individuals
Quebec Law 25, s.3.5 — confidentiality incident notification
30 days (after becoming aware)
Individual deadline
As soon as practicable (when serious harm likely)
Threshold
Eligible data breach — likely to result in serious harm
Privacy Act 1988, Part IIIC — Notifiable Data Breaches scheme
72 hours
Individual deadline
Promptly (when breach likely to harm data principal)
Threshold
Any personal data breach
DPDP Act 2023, s.8(6) — data breach notification
UAE PDPL
United Arab Emirates
72 hours
Individual deadline
Without undue delay (when high risk)
Threshold
Any breach likely to harm affected individuals
UAE Federal Decree-Law No. 45 of 2021, Art. 17
LGPD
Brazil
Reasonable timeframe (not yet formally defined)
Individual deadline
Promptly
Threshold
Breach likely to cause relevant risk or harm to data subjects
LGPD Art. 48 — communication of security incidents

Detailed breakdown by jurisdiction

Key notes, practical considerations, and penalty exposure for each regime.

GDPREU/EEA
72 hours
Regulator
National supervisory authority (DPA)
Individual notification
Without undue delay (when high risk)
Threshold
Any breach likely to result in risk to individuals

If 72-hour deadline cannot be met, notify the DPA with a reasoned explanation for any delay. Breach records must be kept regardless of notifiability (Art. 33(5) GDPR).

Art. 33–34 GDPRUp to €10M or 2% global turnover for failure to notify
UK GDPRUnited Kingdom
72 hours
Regulator
Information Commissioner's Office (ICO)
Individual notification
Without undue delay (when high risk)
Threshold
Any breach likely to result in risk to individuals

Post-Brexit, UK GDPR is enforced independently by the ICO. Notification requirements mirror EU GDPR but go to the ICO, not EU DPAs.

Art. 33–34 UK GDPRUp to £8.75M or 2% global turnover for failure to notify
No fixed deadline — "most expedient time possible"
Regulator
California Attorney General + affected individuals
Individual notification
Without unreasonable delay
Threshold
Unauthorised access to unencrypted personal information

California breach notification law (§1798.82) is separate from the CCPA. The CCPA adds a private right of action for breaches of certain categories of personal information that were not protected by reasonable security. There is no fixed regulatory deadline.

Cal. Civ. Code §1798.82 (state breach law) + Cal. Civ. Code §1798.150 (CCPA private right of action)$100–$750 per consumer per incident (CCPA private right of action)
PIPEDACanada (federal)
As soon as feasible
Regulator
Office of the Privacy Commissioner of Canada (OPC)
Individual notification
As soon as feasible (when real risk of significant harm)
Threshold
Real risk of significant harm (RROSH) to an individual

PIPEDA's threshold is higher than GDPR — notification only required if there is a "real risk of significant harm". Breach records must be kept for 24 months regardless of notifiability.

PIPEDA s.10.1, Breach of Security Safeguards Regulations SOR/2018-64Up to CAD $100,000 per violation for failure to report or keep records
Quebec Law 25Quebec, Canada
72 hours
Regulator
Commission d'accès à l'information (CAI)
Individual notification
Without delay (when risk of serious injury)
Threshold
Risk of serious injury to affected individuals

Quebec Law 25 imposes a stricter 72-hour deadline than PIPEDA, aligning closer to GDPR. A "confidentiality incident" includes any inadvertent communication, access, or use of personal information.

Quebec Law 25, s.3.5 — confidentiality incident notificationUp to CAD $25,000,000 or 4% of global revenue
30 days (after becoming aware)
Regulator
Office of the Australian Information Commissioner (OAIC)
Individual notification
As soon as practicable (when serious harm likely)
Threshold
Eligible data breach — likely to result in serious harm

Australia has a longer 30-day window than GDPR. If an organisation suspects a breach but is not certain, it has 30 days to assess whether it is an eligible data breach. Small businesses under the Privacy Act threshold may not be subject to the NDB scheme.

Privacy Act 1988, Part IIIC — Notifiable Data Breaches schemeUp to AUD $50,000,000 per serious or repeated interference
72 hours
Regulator
Data Protection Board of India
Individual notification
Promptly (when breach likely to harm data principal)
Threshold
Any personal data breach

India DPDP requires notification of any personal data breach — no risk threshold. Both the Data Protection Board and affected data principals must be notified. Final implementing rules are pending as of April 2026.

DPDP Act 2023, s.8(6) — data breach notificationUp to INR 2,500 crore (~USD $300M) for certain violations
UAE PDPLUnited Arab Emirates
72 hours
Regulator
UAE TDRA (Telecommunications and Digital Government Regulatory Authority)
Individual notification
Without undue delay (when high risk)
Threshold
Any breach likely to harm affected individuals

UAE PDPL notification goes to the TDRA. DIFC and ADGM free zones have separate data protection frameworks with their own breach notification requirements.

UAE Federal Decree-Law No. 45 of 2021, Art. 17AED 50,000 to AED 20,000,000 depending on severity
LGPDBrazil
Reasonable timeframe (not yet formally defined)
Regulator
Autoridade Nacional de Proteção de Dados (ANPD)
Individual notification
Promptly
Threshold
Breach likely to cause relevant risk or harm to data subjects

LGPD does not specify a fixed deadline. The ANPD has issued guidance suggesting notification within 2 business days (Resolution CD/ANPD No. 2/2022). The ANPD may update this with formal regulations.

LGPD Art. 48 — communication of security incidentsUp to 2% of Brazilian revenue, capped at BRL 50,000,000 per violation

Practical guidance: what to do in the first 72 hours

When a potential data breach is discovered, the clock starts immediately — but only when you have a reasonable degree of certainty that a breach has occurred. The following steps apply regardless of which laws are in scope:

  1. 1
    Contain the breach
    Immediately take steps to stop the breach from continuing. This may include revoking access credentials, taking systems offline, or patching the vulnerability.
  2. 2
    Assess scope and severity
    Determine what personal data was affected, how many individuals, and whether the data was encrypted or anonymised. The notifiability assessment depends on this.
  3. 3
    Identify applicable laws
    For each affected jurisdiction (based on where affected individuals are located), identify which breach notification obligations apply and what the deadlines are.
  4. 4
    Notify regulators within applicable deadlines
    For GDPR, UK GDPR, India DPDP, UAE PDPL, and Quebec Law 25 — notify within 72 hours if the breach meets the threshold. For Australia NDB — you have 30 days to assess and notify. For PIPEDA — notify as soon as feasible if there is real risk of significant harm.
  5. 5
    Notify affected individuals if required
    Where the breach poses a high risk of harm (GDPR, UK GDPR) or serious harm (Australia NDB) or real risk of significant harm (PIPEDA), notify affected individuals promptly.
  6. 6
    Document everything
    All privacy laws require breach records to be kept. Document the nature of the breach, data affected, individuals at risk, and all notification steps taken, with timestamps.

Frequently asked questions

What is the GDPR data breach notification deadline?

Under Art. 33(1) GDPR, controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If notification cannot be made within 72 hours, the controller must notify the DPA as soon as possible with a reasoned explanation for the delay. If the breach is likely to result in a high risk to individuals, the controller must also notify affected data subjects without undue delay under Art. 34 GDPR.

Does CCPA require data breach notification?

The CCPA itself does not prescribe a specific data breach notification deadline. California data breach notification is primarily governed by Cal. Civ. Code §1798.82, which requires notification in the most expedient time possible and without unreasonable delay. However, the CCPA adds a private right of action for individuals whose personal information is subject to unauthorised access as a result of failure to maintain reasonable security (Cal. Civ. Code §1798.150). This private right of action applies to specific categories of sensitive personal information.

What is the 72-hour rule for data breaches?

The 72-hour rule originates from Art. 33(1) GDPR and has been adopted in several other regimes including UK GDPR, India DPDP, UAE PDPL, and Quebec Law 25. Under these laws, controllers must notify the supervisory authority within 72 hours of becoming aware of a qualifying personal data breach. The clock starts when the controller has a reasonable degree of certainty that a breach has occurred — not when the breach first happened. If the 72-hour window cannot be met, a notification must still be submitted promptly with a reasoned explanation for the delay.

What counts as a notifiable data breach?

Not every data breach is notifiable. Under GDPR (Art. 33), notification is required unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Under Australia's NDB scheme, a breach is only notifiable if it is an 'eligible data breach' likely to result in serious harm. Under PIPEDA, notification is required only if there is a real risk of significant harm. In contrast, India DPDP requires notification of any personal data breach without a harm threshold.

Do I need to notify individuals after a data breach?

Yes, but only when specific thresholds are met. Under GDPR (Art. 34) and UK GDPR, individual notification is required when the breach is likely to result in a high risk to individuals' rights and freedoms. Under Australia's NDB scheme, individual notification is required when the breach is likely to result in serious harm. Under PIPEDA, you must notify individuals if the breach poses a real risk of significant harm. In each case, notification to individuals must include a description of the breach, types of information involved, and recommended steps individuals can take.

Related privacy law guides

GDPR
EU/EEA
View guide →
UK GDPR
United Kingdom
View guide →
PIPEDA
Canada (federal)
View guide →
Australia Privacy Act
Australia
View guide →
India DPDP
India
View guide →
LGPD
Brazil
View guide →

Find out which privacy laws apply to your business

Answer 13 questions and get a personalised privacy law checklist with statutory citations — including breach notification obligations for every applicable law.

Start free assessment →