Breach notification
Last reviewed 2026-05-18
Definitions
A personal-data breach is any unauthorized access, acquisition, use, disclosure, modification, or destruction of personal data, or loss of availability of such data.
Regulatory timelines
| Regime | Trigger | Notify supervisory authority | Notify affected individuals |
|---|---|---|---|
| GDPR (EU/EEA) | Any breach likely to result in a risk to rights & freedoms | 72 hours from awareness | Without undue delay if high risk |
| UK GDPR / DPA 2018 | Same as GDPR | 72 hours | Without undue delay if high risk |
| CCPA / CPRA (California) | Unauthorized access/exfil of personal info | AG notification if ≥500 California residents affected (Cal. Civ. Code §1798.82(f)) | In the most expedient time possible and without unreasonable delay (Cal. Civ. Code §1798.82(a)) |
| US state laws (≈50 states) | Varies: often unauthorized access to SSN, financial, health | Per state (AG notification in most) | Typically 30-60 d; sometimes 72 h |
| PIPEDA (Canada) | Real risk of significant harm | ASAP to Privacy Commissioner | ASAP |
| Customer DPAs | Per contract | Per contract (commonly 48-72 h) | Per contract |
Default posture: assume GDPR 72 h is the binding deadline and work backward.
Awareness and confirmation
GDPR Art. 33 starts the 72-hour supervisory-authority notification clock when a controller becomes "aware" of a personal-data breach. Per EDPB Guidelines 9/2022 on personal-data-breach notification, awareness is the point at which the controller has a reasonable degree of certainty that a security incident has occurred and led to personal data being compromised. This policy uses "confirmation" to denote that awareness moment; the two terms are equivalent for the purposes of the clock.
A breach is confirmed when the Security Officer documents, on the record, reasonable certainty that a qualifying personal-data breach has occurred. Confirmation requires that the investigation has identified (a) the categories of personal data involved, (b) at least an initial scope of affected individuals or systems, and (c) that the event meets the personal-data-breach definition above. If investigation-stage facts indicate that Customer Personal Data may be affected before confirmation, HiringCoachAI provides preliminary customer notice when required by the applicable DPA or law. The 72-hour regulator clock applies once a qualifying breach is confirmed under the applicable legal standard.
Controller vs. processor scope
For each breach, the Security Officer documents HiringCoachAI's role with respect to the affected data subjects:
- HiringCoachAI as controller (direct end users with no DPA-bound Customer in scope, or Customer personnel administering the service): Step 3 (processor-to-controller customer-administrator notification) does not apply. Step 4 applies directly to regulator and data-subject obligations.
- HiringCoachAI as processor (Customer personal data submitted under a DPA): Step 3 applies in addition to Step 4.
Workflow
1. Hour 0 (from suspicion): Suspected breach reported.
- Incident opened per incident response, Sev 1 or 2.
- Preserve evidence; do not delete logs.
2. Hour 0-24 (from suspicion): Investigation.
- Scope: what data, what individuals, what jurisdictions.
- Risk assessment: likelihood and severity of harm to affected data subjects.
- Confirm whether "personal data" is involved and what categories (contact info, resumes, payment tokens; note Stripe tokens do not themselves put users at risk).
- Investigation ends with an explicit confirm/decline decision by the Security Officer. If declined, document the basis for declination and close. If confirmed, document the role determination per the section above and start the notification clocks below from this moment.
3. Within 72 hours of confirmation: Customer-administrator notification (processor-to-controller).
- Applies only when HiringCoachAI is processor under a DPA-bound Customer relationship for the affected data subjects. Skip if HiringCoachAI is controller.
- Notify each affected Customer administrator per their DPA terms.
- This step runs in parallel with regulator and end-user drafting; it is not blocked by them.
- Initial notice may be preliminary if scope is still being finalized; include what is known and commit to follow-on updates as material facts are established.
4. Within 72 hours of confirmation: Regulator and end-user notification.
- Regulator notification is required only where the breach is likely to result in a risk to the rights and freedoms of natural persons (GDPR Art. 33(1)). The Security Officer documents the risk determination on the record. Low-risk breaches (e.g., loss of confidentiality of encrypted-at-rest data where the encryption key has not been compromised) may not trigger this step; the determination and supporting facts are retained as evidence.
- When required, regulator(s) are notified per the jurisdictional mapping above (GDPR/UK GDPR drive the 72-hour ceiling). The supervisory authority notification may be made in phases under GDPR Art. 33(4) where complete information is not yet available.
- End-user notification is required when the breach is likely to result in a high risk to the rights and freedoms of affected individuals (GDPR Art. 34(1)). Art. 34(3) exceptions apply where (a) the data was rendered unintelligible by encryption or equivalent measures; (b) subsequent measures have eliminated the high risk; or (c) individual notification would involve disproportionate effort, in which case a public communication or equivalent measure is used instead. The Security Officer documents which path applies.
- Privacy Officer / data-protection contact owns drafting; legal review where available.
5. Post-notification.
- Public statement on the trust center for Sev 1 incidents.
- Remediation tracking.
- Post-mortem per incident response.
Limitations and exceptions
Notification under this policy is subject to the following limitations, which may delay, modify, or restrict the scope of notification:
- Law-enforcement hold. Where notification would impede a criminal or civil investigation, HiringCoachAI may delay notification at the documented written request of the responsible law-enforcement authority, court, or regulator. The hold is documented on the incident record with the requesting authority, scope, and expected duration. Notification proceeds once the hold is lifted or the legally permissible delay expires.
- National security and equivalent legal restrictions. Where applicable law (including national-security or court-order restrictions) prohibits or restricts disclosure of the breach or its details, HiringCoachAI complies with the legal restriction and documents the restriction's source and scope on the incident record. Notification is made to the extent legally permitted.
- Counsel-directed sequencing. Where outside counsel directs a specific notification sequence to satisfy multi-jurisdictional obligations or to avoid prejudicing other legal positions, the Security Officer follows that direction and records counsel's instruction on the incident record.
- Risk-based exemptions. As described in Step 4, regulator and end-user notification obligations are subject to the risk thresholds in GDPR Art. 33(1) and Art. 34(1), and to the Art. 34(3) exceptions. Determinations under these provisions are documented on the incident record.
Nothing in this section authorizes failure to notify where notification is legally required; all limitations apply only within the bounds of applicable law and the documented determination on the incident record.
Notification contents
Per GDPR Art. 33/34, notifications include:
- Nature of the breach; categories and approximate number of individuals and records.
- Name and contact of Privacy Officer / data-protection contact.
- Likely consequences.
- Measures taken / proposed.
Regulator contacts
- Lead EU supervisory authority: Irish Data Protection Commission (if/when EU presence established): contact form at
dataprotection.ie. - UK: Information Commissioner's Office (ICO):
ico.org.uk/for-organisations/report-a-breach/. - US state AGs: compiled list maintained by the Privacy Officer / data-protection contact on incident.
- California AG:
oag.ca.gov/privacy/databreach/reporting.
User-facing notification template
HiringCoachAI maintains a breach-notification template for user-facing communications; current template language is available to DPA customers through [email protected].
Learning
Every breach notification triggers a policy review: which control failed, what changed, evidence of improvement. Captured in the post-mortem and fed into secure development lifecycle's threat-modeling checklist.