Incident response is stressful. The best way to reduce panic is to know your notification deadlines ahead of time.
GDPR: 72 Hours
GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach, unless it is unlikely to result in risk to individuals.
What Counts as Awareness
Once you have a reasonable degree of certainty that a breach occurred, the clock starts. Waiting for perfect facts can put you past the deadline.
US State Laws Vary
Most states require notification "without unreasonable delay," while a few specify fixed timelines. Some also require notification to the attorney general.
Prepare a Timeline Playbook
Create a simple matrix of regions, deadlines, and required notice content. Your legal team can update it as laws change.
What Notices Should Include
Most rules require a description of the incident, types of data affected, steps taken, and recommended actions for users.
Bottom Line
Fast, accurate notifications are easier when you have pre-approved templates and a clear escalation path.