Home · Synthesis · cl-breach-notification-timelines

Cross-jurisdiction breach notification timelines

GDPRCCPADPDPANIS2CSA CCM v4

Primary statement

Cross-jurisdiction breach notification timelines: GDPR 72h (Art 33) + DPDPA 72h detailed (Rule 7) + CERT-In 6h (Direction 70B) + RBI CIMS 6h + SEBI per CSCRF + IRDAI 24h + CCPA + NIS2. Multi-regulator simultaneous notification often triggered by single breach.

Audit-fatigue payoff

A unified breach notification timing matrix per regulator + pre-staged contacts + tested procedure satisfies cross-jurisdiction breach timelines across all 5 contributing frameworks.

Strictness matrix

Scope
Scope: ALL personal data breaches across all applicable jurisdictions. Each jurisdiction has its own timeline. Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 + DPDPA + CERT-In together form the cross-jurisdiction scope.
Threshold
Threshold: STRICTEST applicable timeline (typically CERT-In 6h or RBI CIMS 6h) determines internal escalation cadence. 72-hour GDPR is upper bound for personal data. Ceiling source: gdpr:Art.33 Rationale: CERT-In / RBI 6-hour threshold is the strictest in the cross-jurisdiction set.
Method
Method: per-regulator notification template + pre-staged authority contacts + multi-regulator coordination matrix + awareness-to-notification time tracking + strictest-timeline-first escalation procedure. Ceiling source: gdpr:Art.33 Rationale: Cross-jurisdiction matrix is the most prescriptive method.
Frequency
Event-driven within applicable timelines. Procedure review: annual + post-incident. Tabletop with multi-regulator scenario: annual. Ceiling source: gdpr:Art.33 Rationale: Annual tabletop with multi-regulator is the audit-defensible periodic cadence.
Evidence
Evidence: per-regulator notification templates + authority contact list + coordination matrix + sample submissions + tabletop records. Ceiling source: gdpr:Art.33 Rationale: GDPR Art 33 + cross-jurisdiction evidence is comprehensive.

Auditor test pattern

Step 1: Inspect coordination matrix. Step 2: Verify per-regulator templates. Step 3: Sample one cross-jurisdiction breach; verify all timelines met. Step 4: Verify annual multi-regulator tabletop.

Common findings

Common findings: (1) 72-hour GDPR met but 6-hour CERT-In missed; (2) Per-regulator templates absent; (3) Coordination matrix theoretical; (4) Tabletop covers one regulator only.