Privacy Tools Guide

GDPR requires notifying authorities within 72 hours of discovering a breach, while CCPA requires notification to California residents without unreasonable delay but no specific timeline. GDPR applies to all EU resident data, CCPA to California residents, with both requiring notification documentation and reasonable security investigation. Implement breach discovery automation, maintain audit logs, prepare notification templates, and document your incident response process to meet these timelines before breaches occur.

GDPR Breach Notification Requirements

Under GDPR Articles 33 and 34, organizations must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. This tight timeline applies to breaches likely to result in a risk to individuals’ rights and freedoms.

Key GDPR Timelines

The 72-hour clock starts when your organization confirms a breach—not when it first detects potential unauthorized access. This distinction matters because initial detection often requires investigation before confirmation.

What Triggers GDPR Notification

A breach requires notification when it results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. For developers, common triggers include:

Required Notification Content

Your breach report to supervisory authorities must include:

CCPA Breach Notification Requirements

California’s breach notification requirements are governed by California Civil Code Section 1798.82. The Golden State mandates notification to affected California residents, but the timeline is more flexible than GDPR.

Key CCPA Timelines

CCPA Notification Thresholds

California law requires notification when breach involves personal information defined as:

The breach must actually cause or reasonably cause identity theft or economic loss for notification to be legally required.

California Attorney General Notification

If more than 500 California residents are affected, you must also notify the California Attorney General. This can be done through their online breach reporting portal.

Comparative Timeline Overview

Requirement GDPR CCPA
Authority notification 72 hours Not required
Individual notification Without undue delay Without unreasonable delay
Extension allowed No No
Content requirements Detailed Basic
Penalty per violation Up to €20M or 4% global revenue $2,500-$7,500

Practical Implementation for Developers

Building breach notification capability into your systems requires both technical infrastructure and documented processes.

Incident Detection and Tracking

First, implement logging and monitoring to detect potential breaches:

# Python: Incident detection data structure
from dataclasses import dataclass, field
from datetime import datetime
from typing import List, Optional
from enum import Enum

class BreachType(Enum):
    CONFIRMED = "confirmed"
    SUSPECTED = "suspected"
    FALSE_POSITIVE = "false_positive"

class RiskLevel(Enum):
    LOW = "low"
    MEDIUM = "medium"
    HIGH = "high"
    CRITICAL = "critical"

@dataclass
class SecurityIncident:
    incident_id: str
    detection_time: datetime
    confirmation_time: Optional[datetime] = None
    breach_type: Optional[BreachType] = None
    risk_level: RiskLevel = RiskLevel.LOW
    data_categories_affected: List[str] = field(default_factory=list)
    data_subjects_count: int = 0
    contains_california_residents: bool = False
    contains_eu_residents: bool = False
    notification_sent: bool = False
    authority_notification_time: Optional[datetime] = None
    individual_notification_time: Optional[datetime] = None

    def confirm_breach(self, confirmation_time: datetime, breach_type: BreachType):
        self.confirmation_time = confirmation_time
        self.breach_type = breach_type
        self._assess_risk()

    def _assess_risk(self):
        high_risk_indicators = ["ssn", "financial", "health", "biometric"]
        if any(cat in high_risk_indicators for cat in self.data_categories_affected):
            self.risk_level = RiskLevel.HIGH

Breach Triage Process

Implement a triage function to determine notification requirements:

def triage_breach(incident: SecurityIncident) -> dict:
    """Determine notification requirements for a confirmed breach."""
    results = {
        "gdpr_reportable": False,
        "gdpr_notify_individuals": False,
        "ccpa_reportable": False,
        "ccpa_notify_california_ag": False,
        "deadline_72h": None,
        "deadline_30d": None
    }

    # GDPR assessment
    if incident.risk_level in [RiskLevel.HIGH, RiskLevel.CRITICAL]:
        results["gdpr_reportable"] = True
        results["gdpr_notify_individuals"] = True
        if incident.confirmation_time:
            results["deadline_72h"] = incident.confirmation_time.replace(
                hour=incident.confirmation_time.hour + 72
            )

    # CCPA assessment
    if (incident.contains_california_residents and
        incident.breach_type == BreachType.CONFIRMED):
        results["ccpa_reportable"] = True
        results["deadline_30d"] = datetime.now()  # Within 30 days recommended

        if incident.data_subjects_count >= 500:
            results["ccpa_notify_california_ag"] = True

    return results

Documentation and Evidence Preservation

Maintain logs for compliance audits:

# Store incident evidence immutably
def log_incident_evidence(incident: SecurityIncident, evidence: dict):
    """Log incident with cryptographic timestamp for audit trail."""
    import hashlib
    import json

    evidence_json = json.dumps(evidence, sort_keys=True)
    evidence_hash = hashlib.sha256(evidence_json.encode()).hexdigest()

    log_entry = {
        "incident_id": incident.incident_id,
        "timestamp": datetime.utcnow().isoformat(),
        "evidence_hash": evidence_hash,
        "evidence": evidence  # Store actual evidence securely
    }

    # Append to immutable audit log
    with open(f"/secure/audit/incidents/{incident.incident_id}.json", "a") as f:
        f.write(json.dumps(log_entry) + "\n")

Automating Notification Workflows

Build automated workflows to meet tight timelines:

# Example: Incident response workflow definition
incident_response:
  phases:
    - name: detection
      sla: immediate
      actions:
        - alert_security_team
        - create_incident_record
        - preserve_logs

    - name: assessment
      sla: 24 hours
      actions:
        - determine_breach_type
        - count_affected_users
        - identify_jurisdictions
        - assess_risk_level

    - name: notification_preparation
      sla: 48 hours
      actions:
        - prepare_authority_notification
        - prepare_individual_notification
        - legal_review

    - name: notification
      sla: 72 hours (GDPR)
      actions:
        - submit_to_supervisory_authority
        - notify_california_ag_if_required
        - notify_individuals_if_high_risk

Common Pitfalls to Avoid

Many organizations struggle with these areas:

Starting the clock too early: The 72-hour timer begins at confirmation, not detection. Document your confirmation process carefully.

Incomplete jurisdiction tracking: You need to know where affected users reside. Implement geographic data collection from signup.

Missing documentation: Every decision must be documented. What you did, why you did it, and when.

Inadequate incident response plans: Having a plan on paper isn’t enough. Practice your response through tabletop exercises.

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides