Related Posts
What is the midpoint salary of Band 8?
Please bada do yaar😂

Top consulting firms right there!!

Additional Posts in Privacy Law
Can you incorporate SCCs by reference in a DPA?
Anyone else dying this week 😅
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.



Mentor
In the States, each state has a very black and white list of what qualifies and whe notification is required. Outside the states it varies. In the GDPR land, for example, it's about risk of harm.
In some cases yes, but those definitions, including the types of PI which are notifiable, are also often copy/paste by the legislature and can be “squishy.” Several states also include a risk of harm analysis. So the answer is more “it depends” than black and white.
In the U.S., it is about as black and white as anything in privacy or cybersecurity law. In the EU, less so.
You also should be factoring what your own contracts and your cyber policy consider a breach.
Echoing what others have said but also if you’re in-house checking with your incident response plan and knowing who in the org is responsible for determining if notification is made. Legal may sometimes advise if the requirement but might be the CISOs call