Breach Notification Requirements Tracker

A practical tracker for GDPR, UK, and US state breach notification timelines, thresholds, and review checkpoints.

If you handle personal data across the EU, UK, or multiple US states, breach reporting is rarely just a security problem. It becomes a timing problem, a scoping problem, and a documentation problem at the same time. This tracker is designed as a practical reference you can revisit whenever laws, regulator guidance, customer contracts, or your own systems change. It explains the core breach notification requirements under GDPR, the UK regime, and the fragmented US state landscape, then shows what to monitor on a recurring basis so your incident response process stays usable under pressure.

Overview

This article gives you a timeline-driven way to think about privacy incident reporting without pretending every law works the same way. The safest operational approach is to separate three questions early: whether an incident is a personal data breach, whether notification is legally required, and what clock applies once you have enough facts to decide.

For organizations with customers, users, employees, or site visitors in more than one jurisdiction, the challenge is not just memorizing deadlines. It is understanding the trigger behind the deadline. In practice, deadlines usually depend on some combination of:

whether personal data was involved
whether the organization is acting as a controller or processor
whether the incident is likely to create risk or harm to individuals
when the organization became aware of the breach
whether a specific state law, sector rule, or contract uses a different reporting trigger

Under GDPR, the baseline concept is relatively clear. A controller is the party that determines the purposes and means of processing personal data, while a processor handles personal data on the controller’s behalf. That distinction matters during a breach because controllers generally own the regulatory notification decision, while processors must notify controllers without undue delay under their contractual and legal obligations. The same controller-versus-processor logic is useful in the UK as well. If you need a refresher on role allocation, see Controller vs Processor Under GDPR: A Practical Guide for SaaS, Agencies, and Website Owners.

The GDPR model is also useful because it frames breach handling as part of broader accountability. Source material on GDPR readiness consistently emphasizes documented responsibilities, data mapping, and controller risk assessment. That is why a breach tracker should not live as a one-page legal cheat sheet. It should be tied to your data inventory, vendor map, incident response plan, and reporting workflow.

For repeat use, think of this article as a monitoring framework:

EU GDPR: a structured rule set with a well-known supervisory authority notification window and a risk-based standard for notifying affected individuals
UK: broadly similar to the GDPR model, but governed separately and worth tracking independently for guidance changes
US states: a patchwork where timelines, definitions of personal information, regulator notice triggers, consumer notice content, and substitute notice rules often differ

The practical takeaway is simple: build one internal breach assessment process, but maintain jurisdiction-specific outputs.

What to track

If you want this page to be useful every quarter, focus on variables that actually change notification decisions. The most common mistake is tracking only the headline deadline and ignoring the conditions underneath it.

1. The legal trigger for notification

Start with the threshold, not the timeline. Under GDPR and the UK regime, not every security incident becomes a reportable personal data breach. The key issues are whether personal data was affected and whether the breach is likely to result in risk to the rights and freedoms of natural persons. Notification to individuals generally requires a higher threshold, often framed as high risk.

US state laws are less uniform. Many rely on unauthorized access, acquisition, or disclosure of specified categories of personal information, often combined with a risk-of-harm analysis or a security-of-encrypted-data exception. Because the trigger varies by state, your tracker should include:

definition of covered personal information
whether access alone is enough, or acquisition must be shown
whether encrypted data is exempt and under what conditions
whether harm analysis is allowed
whether law enforcement delay is recognized

This is where technical teams often need legal translation. A suspicious login event, exposed backup, or misconfigured storage bucket may look severe from a security angle but still require a structured legal analysis before notifications go out.

2. The clock start

The phrase “when did the timer begin?” should be answered in your playbook before the next incident. In GDPR-style regimes, the reporting window is tied to awareness, not the initial attack date. That means your internal process should record:

when the event was first detected
when personal data involvement became reasonably likely
when a decision-maker concluded it was a personal data breach
when the controller was informed by a processor or subprocessor

In the US, many state laws use standards such as “without unreasonable delay,” sometimes with an outside limit or separate timing rules for attorney general notice or consumer reporting agencies. Your tracker should note both the flexible standard and any hard cap where one exists.

3. Controller and processor duties

Source material on GDPR terminology reinforces a core operational point: processors act on behalf of controllers, and controllers assess the risk and determine core notification obligations. If you rely on cloud services, analytics tools, support platforms, managed hosting, or outsourced developers, you should track:

whether your contract requires processor notice “without undue delay”
what information the processor must provide in an incident report
whether subprocessors are named and flow-down obligations exist
which party drafts regulator and customer notices
whether your data processing addendum matches the real service architecture

For a contract-level review, see Data Processing Agreement Checklist: What Controllers and Processors Should Verify.

4. Required contents of the notice

Deadlines matter, but incomplete notices create a second problem. Track what each regime expects you to include. GDPR-style notices to regulators typically focus on the nature of the breach, categories of data or data subjects affected, likely consequences, and measures taken or proposed. US state consumer notices may require different content, such as the incident date range, categories of information involved, advice on fraud alerts or credit monitoring, or regulator contact details.

Your tracker should not just list “notice required.” It should link to approved templates and responsible owners. If your privacy notice and internal incident process are out of sync, update both together. Related reading: Privacy Policy Checklist for Websites and SaaS: What to Disclose and When to Update It.

5. Jurisdiction mapping

For multi-region incidents, you need a repeatable way to decide which laws are in scope. Track:

where affected individuals reside
whether EU or UK personal data is involved
whether employee, customer, or website visitor data is included
whether the incident affects a regulated industry dataset
whether a customer contract adds shorter deadlines than the law

This depends on your records of processing. If you do not know which systems hold which categories of personal data, your notification timeline will slip while teams debate basics. A current data map and ROPA materially improve breach response. See Records of Processing Activities Checklist: When You Need a ROPA and What to Include.

6. State-law variables in the US

Because US state breach notification laws change over time, your tracker should maintain a state-by-state view of recurring variables rather than trying to memorize every statute. Useful fields include:

consumer notice deadline standard
attorney general notice trigger
consumer reporting agency trigger based on affected count
definition of personal information
special rules for login credentials, biometric data, medical data, or tax identifiers
substitute notice thresholds
content requirements and prohibited language

Even if your company mainly thinks in GDPR terms, US state law can be the harder operational burden because notice forms, recipients, and timelines often vary in small but important ways.

Cadence and checkpoints

The point of a tracker is not to create busywork. It is to give your team a realistic update rhythm. For most SMBs, SaaS companies, and website operators, a monthly light review plus a quarterly deeper review is a practical baseline.

Monthly: quick operational check

Once a month, confirm the pieces that break fastest:

incident response contacts are current
outside counsel, privacy lead, and security lead escalation paths still work
processor and hosting vendor emergency contacts are current
notice templates are accessible
evidence preservation steps are documented
on-call responders know where the breach assessment form lives

This takes less time than a tabletop exercise and catches avoidable failures early.

Quarterly: legal and data-scope review

Every quarter, review the assumptions that change more slowly but matter more:

new states added or revised breach laws relevant to your user base
new product features that collect additional categories of personal data
new vendors, subprocessors, or integrations
changes in cloud architecture, DNS, hosting, logging, or backup flows
updates to customer contracts requiring accelerated incident notice
changes to controller and processor role allocation

If your team is preparing for broader cybersecurity compliance work, tie this review to existing governance checkpoints such as your SOC 2 readiness review or your annual GDPR compliance checklist.

After any material system change

Do not wait for the next quarter if you:

launch in a new region
add a new identity provider or analytics platform
migrate hosting or DNS
adopt a new customer support tool
begin storing more sensitive categories of information
change your processor or subprocessor chain

These events can change both the likelihood of a reportable breach and the jurisdictions you need to notify.

During an active incident: checkpoint timeline

When an incident is live, use a strict checkpoint method:

Initial triage: confirm whether personal data may be involved.
Role check: identify whether you are controller, processor, or both across different datasets.
Jurisdiction check: map affected individuals and contracts.
Threshold check: assess risk, harm, and statutory triggers.
Clock check: record when awareness was established.
Drafting check: prepare regulator, customer, and individual notices separately.
Documentation check: preserve rationale, even if you decide notice is not required.

This structure prevents a common failure mode: rushing to issue a broad external statement before the legal trigger has been correctly evaluated.

How to interpret changes

Not every legal update should cause a rewrite of your entire incident response plan. The useful question is what kind of change it is and which part of your workflow it affects.

Change type 1: timeline changes

If a jurisdiction shortens a deadline or clarifies the start of the reporting clock, that is an escalation-path problem first. You may need faster internal triage, shorter vendor reporting windows, or a pre-approved decision tree. Review contracts with processors and subprocessors to make sure they do not leave you waiting too long for core facts.

Change type 2: scope changes

If a law expands the categories of covered personal information, your data map may be outdated even if your legal memo is current. For example, a system that was previously low-risk for notification purposes may become high-priority if credentials, biometric identifiers, or online account data are treated differently. Update system inventories, retention rules, and breach classification guides together.

Change type 3: recipient changes

Sometimes the key update is not the consumer deadline but who else must be told. A state may add attorney general notice, or a contract may require customer notice within a much shorter period than the law. In those cases, update the contact matrix and draft templates before the next incident.

Change type 4: guidance changes

Regulator guidance can sharpen how risk is interpreted even if the underlying statute did not change. For GDPR and UK-style analysis, the safest evergreen interpretation is to document your assessment carefully and avoid treating encryption, pseudonymization, or quick containment as automatic exemptions. Those facts matter, but they do not eliminate the need for a structured rights-and-freedoms analysis.

This is also why controller accountability remains central in GDPR materials. Even where a processor supports investigation, the controller still needs enough information to assess risk and justify its decision. Your internal record should show what happened, what data was involved, what risk analysis was applied, and why notice was or was not sent.

Change type 5: operational changes mistaken for legal changes

Many breach-reporting failures come from architecture drift, not statute updates. A new log source may expose more personal data than expected. A backup repository may fall outside existing alerting. A DNS or hosting migration may change who can confirm compromise. Treat infrastructure changes as compliance changes when they affect detection, evidence, or data scope. If domain and hosting are part of your risk surface, align this work with your wider website security checklist and vendor review process.

When to revisit

Use this tracker as a standing review item, not a one-time read. The best time to revisit breach notification requirements is before you need them. A practical schedule is:

Monthly: verify contacts, templates, and escalation paths
Quarterly: review legal updates, state-law changes, and data-flow changes
After major launches or vendor changes: remap jurisdictions and contractual notice duties
After any incident or tabletop: update your clock-start guidance, evidence checklist, and notice decision tree
Annually: reconcile breach response with your privacy notice, DPA set, ROPA, and security policies

If you want one action-oriented checklist to keep, use this:

Create a breach matrix covering EU, UK, and every US state where you have meaningful user or employee exposure.
For each jurisdiction, track trigger, deadline standard, regulator notice rules, consumer notice rules, and content requirements.
Map every system that stores personal data to a controller or processor role.
Review your DPAs and vendor terms to ensure processors notify you fast enough to meet your own deadlines.
Maintain separate templates for regulator notice, customer notice, and affected individual notice.
Record the exact event that establishes awareness for timing purposes.
Document decisions not to notify with the same discipline as decisions to notify.
Re-test the workflow after infrastructure, product, or vendor changes.

For most teams, breach notification readiness is really a coordination exercise across privacy compliance, security operations, legal review, and vendor management. If any one of those is stale, the entire timeline starts to slip. Keep your supporting documents current, especially your DPA review, ROPA, and GDPR checklist.

This tracker will remain useful if you treat it as a living index of changing variables rather than a static legal summary. Revisit it on a monthly or quarterly cadence, and anytime your systems, vendors, or user footprint change. That habit is what turns breach notification requirements from a scramble into a process.