What is Breach Notification?

Breach notification requirements exist across most compliance frameworks but differ significantly in their specifics. Under GDPR, data controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms; if the risk is high, affected individuals must also be notified without undue delay. HIPAA requires covered entities to notify affected individuals within 60 days of discovering a breach of unsecured PHI, with HHS Secretary and media notification required for breaches affecting 500 or more individuals. SOC 2 does not have a prescriptive notification timeline but requires that incident response procedures include communication protocols. A robust breach notification process includes predefined templates for regulatory and individual notifications, a decision tree for assessing notification obligations across jurisdictions, legal review procedures, and communication channel selection. Organizations operating across multiple frameworks must map their notification obligations to ensure the strictest timeline is met.