Company that suspects it may have suffered a data breach capable of causing "serious harm" to any relevant data subjects will have 30 days to investigate and conclude whether in fact an eligible data breach occurred. The law does not define "serious harm" but we can assume it involves a degree of significant emotional, physical, reputational or financial damage.
The new law requires the notification statement to be prepared as soon as practicable and delivered to the Privacy Commissioner, as well as the individuals to whom the relevant information relates or who are at risk from the breach. If individual notification is not practicable, the statement must be posted on the organisation's website and its content must be publicised. Agencies and organisations can lodge their statement about an eligible data breach to the Commissioner via the Notifiable Data Breach statement — Form. Here is a flowchart that lists the steps to take following a potential data breach.
US already has a data breach notification law on books. The GDPR will implement it across the EU in May 2018.