By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
CIPP (US & EU) – Data Breach Notification – Global Overview
Data‑breach notification is the legal duty to tell regulators, affected individuals, and sometimes the public when personal data is accessed, disclosed, or destroyed without authorization. It’s a “red‑flag” requirement that turns a security incident into a compliance event. Imagine a multinational retailer that stores EU‑customer purchase histories in a U.S. cloud. A hacker steals a backup file containing those records. The retailer must decide who to notify, when, and what to say—under GDPR (EU), CCPA/CPRA (California), HIPAA (U.S. health), and other breach‑law regimes. Failure to notify on time or to the right parties can trigger massive fines, reputational damage, and private‑right lawsuits.
Scenario: A U.S. SaaS provider discovers that a backup containing EU customers’ email addresses was exposed. The provider has no EU office. Answer: The provider must notify the relevant EU supervisory authority within 72 hours (GDPR Art. 33) because it targets EU data subjects. Explanation: Targeting (offering services to EU residents) triggers GDPR extraterritorial scope even without a physical EU presence.
Scenario: A California‑based health‑tech startup (covered entity under HIPAA) learns that a laptop containing 300 patient records was stolen. Answer: The startup must notify the affected individuals within 60 days and the HHS OCR within 60 days (since ≥500 records are involved). Explanation: HIPAA’s breach‑notification rule applies to any breach of protected health information; the 60‑day deadline is the same for both individuals and OCR when the breach affects 500+ individuals.
Scenario: A retailer experiences a breach affecting 150 California residents’ names and purchase histories. The breach is discovered on March 1. Answer: The retailer must send the consumer notice as soon as practicable and without unreasonable delay, but no later than 30 days after discovery (CCPA/CPRA). Explanation: CCPA/CPRA requires “most expedient time possible” and caps the deadline at 30 days; the retailer should aim for the earliest feasible notice.
Use this sheet to jog your memory on the most exam‑relevant numbers, deadlines, and jurisdictional triggers. Good luck!
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.