Response Timeframe

The legally mandated period within which organizations must respond to data subject rights requests, breach notifications, or regulatory inquiries. Under GDPR Article 12, controllers must respond to data subject requests 'without undue delay' and within one month, extendable by two months for complex requests with explanation. CCPA/CPRA requires responses within 45 days, extendable by 45 days with notice. Breach notification timeframes are typically stricter—GDPR requires notifying authorities within 72 hours of becoming aware of a breach, and notifying affected individuals 'without undue delay.' State breach laws vary from 'without unreasonable delay' to specific timeframes. Regulatory inquiry response times depend on the authority and matter urgency. Organizations should establish processes ensuring compliance with the shortest applicable timeframe, as delays can increase penalties. Best practices include automated request tracking, escalation procedures for complex requests, predefined extension triggers, and clear communication with requestors about timelines.