European Union (EU) adopted the General Data Protection Regulation (GDPR), which replaced the 1995 Data Protection Directive. The GDPR is considered the gold standard for a comprehensive regulation of data protection and privacy.
The GDPR requires notification to the supervisory authority of any personal data breach “without undue delay and, where feasible”, within 72 hours of becoming aware of it unless the incident “is unlikely to result in a risk to the rights and freedoms of natural persons”. Almost every state in the US has a breach notification statute, requiring private or governmental entities to notify individuals of security breaches involving personally identifiable data and setting out what constitutes a security breach, notice requirements (such as timing and method) and exemptions (such as for encrypted information).
In South Africa, the Protection of Personal Information Act 4 of 2013 requires the Information Regulator, the national supervisory authority, to notify the data subjects of breaches as soon as possible after their discovery of the compromise. In Australia, the Privacy Act 1988 (as amended) contains as one of its ‘Privacy Principles’ the rule that personal information about an individual collected for a particular purpose must not be used or disclosed for another purpose without the individual’s consent.
Read more on economictimes.indiatimes.com