Skill Guide

Global data breach notification law (GDPR Art. 33/34, CCPA, LGPD, PIPL, SEC rules)

Global data breach notification law encompasses the mandatory legal frameworks requiring organizations to notify individuals and authorities of security incidents involving personal data, with specific requirements varying by jurisdiction.

This skill is critical for maintaining regulatory compliance, avoiding substantial fines (e.g., GDPR fines up to 4% of global turnover), and preserving corporate reputation during incidents. It directly impacts legal risk exposure, stakeholder trust, and operational resilience.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Global data breach notification law (GDPR Art. 33/34, CCPA, LGPD, PIPL, SEC rules)

1. Master the core terminology: 'personal data,' 'processing,' 'controller,' 'processor,' and 'data subject.' 2. Understand the fundamental trigger criteria for notifications under GDPR (Art. 33: to authorities, Art. 34: to individuals) and CCPA. 3. Study the basic timelines: GDPR's 72-hour clock, CCPA's 'most expedient time possible.'

1. Apply knowledge through tabletop exercises simulating breach discovery. 2. Conduct a gap analysis: map a hypothetical breach scenario against the specific requirements of GDPR, CCPA, LGPD, PIPL, and SEC rules simultaneously. 3. Avoid the mistake of treating notification as a single event; learn to manage it as an iterative process with internal and external communications.

1. Architect a global incident response playbook that integrates notification workflows for all relevant jurisdictions into a single decision tree. 2. Lead cross-functional war games (legal, IT, comms) to stress-test the playbook. 3. Mentor teams on the strategic trade-offs between speed, accuracy, and legal privilege.

Practice Projects

Beginner

Case Study/Exercise

Notification Threshold Triage

Scenario

Your company, based in the US with EU customers, suffers a ransomware attack encrypting a server containing customer names and email addresses. Initial assessment shows no evidence of data exfiltration.

How to Execute

1. Define 'personal data' under GDPR (names and emails are personal data). 2. Assess if encryption alone constitutes a 'breach of security' under GDPR (it likely does, as it affects availability). 3. Determine if the breach is 'likely to result in a risk to the rights and freedoms of individuals' for Art. 34 notification. 4. Document your conclusion on whether Art. 33 (authority) and/or Art. 34 (individual) notifications are required.

Intermediate

Project

Multi-Jurisdictional Notification Matrix Development

Scenario

A multinational e-commerce platform discovers a breach affecting customer PII (names, addresses, partial payment data) for users in the EU, Brazil, and China.

How to Execute

1. Create a spreadsheet with columns for jurisdiction (EU/GDPR, Brazil/LGPD, China/PIPL), notification authority, individual notification threshold, timeline, required content, and potential penalties. 2. For each law, research and fill in the specific details (e.g., LGPD requires notification to ANPD and data subjects, PIPL requires notification to authorities). 3. Develop a consolidated 'Notification Decision' flowchart that starts with data location and ends with jurisdiction-specific action items. 4. Write draft notification content that meets the highest common denominator of information required across all three laws.

Advanced

Case Study/Exercise

SEC Materiality Assessment and Disclosed Breach Response

Scenario

Your publicly traded company (SEC registrant) experiences a breach of its source code repository. The code contains hardcoded API keys for a critical partner service, but no customer data. The breach is discovered by a third-party researcher.

How to Execute

1. Analyze the new SEC rules: determine if the incident is 'material' by assessing impact on financial condition, operations, or reputation. 2. Develop the rationale for materiality disclosure, focusing on operational disruption risk (partner service abuse) and reputational harm. 3. Draft the SEC Form 8-K filing, which must be made within four business days of materiality determination. 4. Simultaneously, prepare parallel notifications for any relevant data protection authorities if any PII was in the repo (e.g., developer emails).

Tools & Frameworks

Legal & Regulatory Databases

OneTrust DataGuidanceIAPP GDPR Enforcement TrackerOfficial Texts (GDPR, CCPA, LGPD, PIPL, SEC Rules)

Use these for authoritative, current legal texts, enforcement case summaries, and jurisdiction-specific guidance to inform notification decisions and playbook development.

Incident Response & Compliance Platforms

ServiceNow SecOpsIBM ResilientLogicGate Risk Cloud

Leverage these platforms to operationalize the notification workflow: manage ticketing, track deadlines, generate reports, and maintain audit trails for regulatory evidence.

Mental Models & Methodologies

Legal Privilege WorkflowStakeholder Communication Plan TemplateMateriality Assessment Framework

Apply the Legal Privilege model to structure internal breach discussions; use a communication plan to sequence notifications (authorities first, then individuals, then media); employ the materiality framework for SEC disclosure.

Interview Questions

Answer Strategy

Demonstrate parallel processing and jurisdictional awareness. Answer: 'Hour 0-24: Activate IR team, contain breach, appoint legal counsel for privilege. Hour 24-48: Conduct preliminary assessment to confirm breach of security and evaluate risk under GDPR Art. 33. For CCPA, assess if the data includes defined categories. Hour 48-72: File GDPR Art. 33 notification to the lead supervisory authority (e.g., Irish DPC) if likely to result in risk. Prepare GDPR Art. 34 and CCPA notifications for dispatch pending authority guidance. SEC 8-K clock starts upon materiality determination, which runs in parallel.'

Answer Strategy

Test ability to translate legal concepts into business risk. Answer: 'I would frame it as a likelihood assessment of potential harm: does the breach create a realistic chance that individuals could suffer consequences like identity theft, financial loss, discrimination, or reputational damage? For example, encrypted data stolen is lower risk; unencrypted social security numbers stolen is high risk. The executive needs to understand this threshold determines if we face the higher burden and cost of notifying every affected individual.'