Skip to main content
Breach Notification in 2026: GDPR, HIPAA, and State Law Requirements — G8KEPR Blog
Back to Blog
Compliance7 min readMarch 15, 2026

Breach Notification in 2026: GDPR, HIPAA, and State Law Requirements

A data breach triggers notification obligations across multiple frameworks simultaneously. GDPR gives you 72 hours. HIPAA gives you 60 days. State laws give you anywhere from 30 to 90 days. Here is how to navigate overlapping obligations without missing a deadline.

A data breach at a SaaS company that processes personal data rarely triggers a single notification obligation. If you have customers in the EU, you are subject to GDPR. If you process health information for US customers, you are subject to HIPAA. If you have customers in California, Colorado, Virginia, or Connecticut (and you almost certainly do), you are subject to state privacy laws. These obligations apply simultaneously and have different deadlines.

GDPR: 72 Hours to Supervisory Authority

Article 33 requires notification to the relevant supervisory authority within 72 hours of becoming aware of a breach, if the breach is likely to result in a risk to individuals. This is the most aggressive timeline in any major framework. 72 hours includes weekends. The clock starts when you 'become aware' — which the EDPB has defined as when you have a reasonable degree of certainty a breach has occurred, not when you have completed your investigation.

HIPAA: 60 Days from Discovery

HIPAA gives covered entities and business associates 60 days from the discovery of a breach affecting unsecured PHI to notify affected individuals and HHS. Breaches affecting 500+ individuals in a state also require media notification. The 60-day window is more generous than GDPR, but the content requirements for the notification are more prescriptive.

US State Laws: A Patchwork

All 50 US states have data breach notification laws. Notification timelines range from 30 days (Florida, Colorado) to 90 days (some states) or "in the most expedient time" (a few holdouts). The triggering definition of "personal information" varies — some states include IP addresses, biometrics, and genetic data that others do not.

The Practical Response Playbook

  1. 1.Hour 0-4: Confirm breach, contain the incident, preserve evidence
  2. 2.Hour 4-24: Complete initial assessment — which data was affected, which individuals, which jurisdictions
  3. 3.Hour 24-48: Engage legal counsel, prepare GDPR notification (if applicable), begin HIPAA assessment
  4. 4.Hour 48-72: Submit GDPR notification if required; this deadline cannot slip
  5. 5.Day 4-30: Complete full investigation, prepare individual notifications, notify remaining regulators per their timelines

GDPR notification to a supervisory authority can be made before investigation is complete — submit what you know with a note that the investigation is ongoing and you will provide additional information. A late notification is a worse outcome than an incomplete one submitted on time.

ShareX / TwitterLinkedIn

Related Articles

Compliance

EU AI Act Is Now Enforced: What API Security Teams Must Do

8 min read
Compliance

SOC 2 Type II Prep: The Controls That Actually Matter

9 min read
Compliance

HIPAA Technical Safeguards in 2026: What's Non-Negotiable

7 min read

Ready to secure your AI stack?

14-day free trial — full platform access, no credit card required. Early access members get pricing locked in forever.

Start Free TrialTalk to the Team