ClearLaunch
Feature CheckerRegulations & PoliciesEnforcementRadarVendorsChangelogGuides
FAQ
← All Controls

Personal data breach notification process

breach-notification-processDomain: data-privacyType: process

Description

A breach-notification process is the operational system that runs after the security team identifies a personal-data incident and runs to the regulatory clock that started the moment the incident was detected (or reasonably should have been). A working breach-notification process covers detection signals, the assessment workflow that decides whether the incident meets the regulatory threshold for notification (most modern privacy laws use a risk-of-harm test rather than a presence-of-data-loss test), the containment and remediation path, the supervisory-authority notification (72 hours under GDPR, varying under US state laws), the data-subject notification when required, and the audit log that documents every step for the inevitable post-incident review. The structurally interesting piece is that the regulatory clock starts at detection, not at confirmation; the assessment workflow therefore has to operate under uncertainty rather than waiting for clean answers.

Required by (17 regulations)

  • APPI

    Act on the Protection of Personal Information (Act No. 57 of 2003, as amended by Act No. 44 of 2020, effective April 1, 2022)

  • CCPA/CPRA

    AG breach disclosure obligations (separately under California Civil Code §1798.82).

    Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

    Source →

  • CSL

    Cybersecurity Law of the People's Republic of China (adopted November 7, 2016, effective June 1, 2017)

  • DPDPA

    Digital Personal Data Protection Act, 2023 (Act No. 22 of 2023), published in the Gazette of India on August 11, 2023

  • GDPR

    Article 33 — DPA notification within 72 hours of awareness; Article 34 — affected individual notification when high risk.

    Regulation (EU) 2016/679 of the European Parliament and of the Council

  • LGPD

    Article 48 — ANPD notification of incidents that may cause relevant risk or damage.

    Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

  • PIPEDA

    S.C. 2000, c. 5 (Personal Information Protection and Electronic Documents Act)

  • PIPL

    Article 57 — immediate notification to authorities and individuals.

    Personal Information Protection Law of the People's Republic of China (adopted August 20, 2021, effective November 1, 2021)

  • Privacy Act

    Privacy Act 1988 (Cth), No. 119 of 1988

  • PDPL

    Royal Decree M/19, dated 9/2/1443 AH (September 16, 2021), Personal Data Protection Law, effective September 14, 2023

  • Singapore PDPA
  • POPIA
  • Tennessee IPA
  • Thailand PDPA
  • KVKK
  • UAE Data Protection Law
  • Vietnam PDPD

Fulfilled by (3)

  • onetrust · partial · medium effort · $$
  • sentry · partial · low effort · $
    Detection only; legal-side notification workflow still in-house.
  • In-house build · medium effort

ClearLaunch does not accept payment from vendors. Methodology.

Evidence formats

  • incident response plan
  • breach register
  • notification templates
  • tabletop exercise records

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

ClearLaunch

Regulatory intelligence for people who ship products.

Tools
Feature CheckerRegulations & PoliciesVendorsGuidesFor LegalFor EngineeringFor ExecutivesFor Investors
About
AboutMethodologyChangelogFAQRegulatory UpdatesClearLaunch on LinkedIn
Legal
Terms of ServicePrivacy PolicyHow we handle your dataCoverage scope & limitations

Built by Neel Patel, in-house game counsel. Games touch more compliance domains at once than anything else in tech. That's what ClearLaunch was designed around.

ClearLaunch provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. ClearLaunch provides legal information; consult a licensed attorney in your jurisdiction. Data reviewed through March 2026. Methodology

© 2026 ClearLaunch · Terms · Privacy