breach-multi-jurisdiction
Installation
SKILL.md
Managing Multi-Jurisdiction Breach Notification
Overview
When a data breach affects individuals across multiple legal jurisdictions, the controller must navigate overlapping and sometimes conflicting notification requirements. The EU GDPR imposes a 72-hour supervisory authority notification deadline; US state laws impose varying timelines and content requirements; and other jurisdictions (Canada, Australia, Brazil, Japan, South Korea) have their own regimes. This skill provides the framework for coordinated notification across jurisdictions.
Jurisdiction Mapping — Notification Requirements
European Union — GDPR (All Member States)
| Element | Requirement |
|---|---|
| SA notification timeline | 72 hours from awareness (Art. 33(1)) |
| SA notification threshold | Unless breach is "unlikely to result in a risk" |
| DS notification timeline | Without undue delay when "high risk" (Art. 34(1)) |
| Lead SA determination | One-stop-shop: Art. 56 lead SA based on main establishment |
| Cross-border mechanism | Lead SA notified; other concerned SAs informed via Art. 60 |
| Content requirements | Art. 33(3)(a)-(d) for SA; Art. 34(2) for data subjects |
Related skills