• Insights

Reporting data breaches around the world

Our data privacy experts have compiled an interactive map showing the rules on reporting data breaches around the world.


In response to the EU’s corporate sustainability reporting requirements, the Ius Laboris data privacy expert group is focussing on ways to engender trust in organisations through transparency and accountability in the sphere of data privacy.

So that our international clients can take an informed view of whether or not a data breach is reportable, we have created this interactive map setting out the international obligations on breach reporting. In red countries, it is likely that the breach will need to be reported – in green, it may be that no formal report is necessary. The amber countries represent a middle ground. Of course, where a breach notification is not required, companies may still wish to proceed with notification for other reasons, as set out below.

Data breach reporting thresholds

Why data privacy matters for ESG

The GRI (Global Reporting Initiative) is an international independent standards organisation that helps businesses, governments, and other organisations understand and communicate their impacts on issues such as climate change, human rights, and corruption. Their management approach to CSR sets out the steps that management can take to ensure high levels of compliance with CSR standards. Their related customer privacy initiatives focusses on  how to deal with complaints received concerning breaches of privacy, and leaks, thefts and losses.

Ensuring that your business takes appropriate technical and organisational measures to ensure a level of security appropriate to the risk is not only a key part of demonstrating compliance with the EU GDPR and the UK GDPR, but also demonstrates a commitment to standards worldwide. Ensuring that data subjects know how their personal data is being processed, or has been impacted as part of a data breach, can also demonstrate a commitment to data subjects (whether they are employees or consumers).

Of course, a data controller’s obligations in reporting a data breach may be different to the way they choose to deal with transparency around a breach. For example, a breach may occur that involves employee data that does not need to be reported, but for reasons of transparency and trust, an employer may choose to inform employees anyway.

Should you have any questions on reporting data breaches, you can find a contact for your jurisdiction by writing to [email protected].

Find out how ESG issues are shaping policy and practice in other areas of employment law

Alex Milner-Smith
Alexander Milner-Smith
Partner - United Kingdom
Lewis Silkin