How to Report a Data Breach to the ICO: Complete UK Guide 2026

If your organisation has suffered a personal data breach in the UK, you may have a legal obligation to report it to the Information Commissioner's Office (ICO) within 72 hours. Failing to do so can result in fines of up to £8.7 million or 2% of global annual turnover, whichever is higher. This comprehensive guide walks you through exactly how to report a data breach to the ICO, what counts as a notifiable breach, and how to handle the process correctly under UK GDPR and the Data Protection Act 2018.

What Is a Data Breach Under UK GDPR?

A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It does not need to be malicious — accidentally emailing a spreadsheet of customer details to the wrong recipient is a breach.

The UK GDPR identifies three main categories of breach:

• Confidentiality breach: Unauthorised or accidental disclosure of, or access to, personal data (e.g. hacking, lost laptop, mis-sent email).
• Integrity breach: Unauthorised or accidental alteration of personal data.
• Availability breach: Accidental or unauthorised loss of access to, or destruction of, personal data (e.g. ransomware, deleted files).

Do You Have to Report Every Breach to the ICO?

No. You only need to report a breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals. If the risk is unlikely, you don't have to report it — but you must still document it internally.

Examples of Breaches That MUST Be Reported

• Loss of unencrypted devices containing personal data
• Cyber-attacks resulting in stolen customer records
• Ransomware that prevents access to personal data
• Sending sensitive data (medical, financial) to the wrong recipient
• Insider theft of employee or customer information

Examples That Likely Don't Require Reporting

• Loss of an encrypted device with no evidence of compromise
• An internal email sent to the wrong colleague who deletes it without reading
• A backup system going offline temporarily with no data loss

When in doubt, the ICO recommends reporting. Under-reporting carries far greater regulatory risk than over-reporting.

The 72-Hour Rule: When Does the Clock Start?

Article 33 of the UK GDPR requires controllers to notify the ICO within 72 hours of becoming aware of a breach. "Awareness" means having a reasonable degree of certainty that a security incident has occurred and personal data has been compromised — not the moment you first suspect something.

If you cannot provide all required information within 72 hours, you can submit an initial report and follow up with additional details "in phases" without undue further delay. If you report after 72 hours, you must explain the reason for the delay.

How to Report a Data Breach to the ICO: Step-by-Step

Step 1: Contain the Breach

Before reporting, take immediate action to limit damage. Disconnect compromised systems, revoke credentials, isolate affected accounts, and preserve evidence for forensic investigation. Document every action with timestamps.

Step 2: Assess the Risk

Conduct a rapid risk assessment considering:

1. Type of breach (confidentiality, integrity, availability)
2. Nature, sensitivity, and volume of personal data involved
3. Ease of identifying individuals from the data
4. Severity of consequences for individuals (financial loss, identity theft, distress, discrimination)
5. Special characteristics of those affected (children, vulnerable adults)
6. Number of individuals affected

Step 3: Gather the Required Information

The ICO requires the following details:

• Your organisation's name and contact details (including DPO if appointed)
• Date, time, and duration of the breach
• When and how you became aware
• Nature of the breach and categories of data involved
• Approximate number of data subjects and records affected
• Likely consequences for affected individuals
• Measures taken or proposed to address the breach and mitigate harm
• Whether affected individuals have been notified

Step 4: Submit the Report

You can report a breach to the ICO through three channels:

• Online form: Visit ico.org.uk and use the personal data breach reporting tool — the preferred and fastest method.
• Telephone: Call the ICO breach helpline on 0303 123 1113 (option 3), available Monday to Friday, 9am–5pm.
• Post: Only as a last resort due to delays.

Step 5: Notify Affected Individuals (If Required)

If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify them "without undue delay". The notification must be in clear, plain language and include:

• The nature of the breach
• Contact details of your DPO or breach contact
• Likely consequences
• Measures taken to mitigate harm
• Advice on protective steps individuals can take (e.g. changing passwords, enabling two-factor authentication, monitoring bank accounts)

Step 6: Document Everything

Even if you decide not to report, you must keep a written record of all breaches, including the facts, effects, and remedial action. The ICO can request this register at any time.

Reporting Timeline at a Glance

Stage	Action	Deadline
Detection	Identify and contain breach	Immediately
Awareness	Confirm breach has occurred	Triggers 72-hour clock
ICO notification	Submit breach report	Within 72 hours
Individual notification	Inform high-risk data subjects	Without undue delay
Follow-up report	Provide additional details	As soon as available
Internal record	Log breach in register	Permanent

What Happens After You Report?

Once you submit your report, the ICO will acknowledge receipt and assign a case reference. They may then:

• Take no further action if your response was adequate
• Request further information or evidence
• Provide guidance on remediation and individual notification
• Open a formal investigation for serious breaches
• Issue enforcement notices, reprimands, or fines

Most reported breaches result in informal advice rather than enforcement. Cooperation, transparency, and demonstrating strong post-incident remediation significantly reduce the likelihood of penalties.

Penalties for Failing to Report

Under the UK GDPR, failure to notify the ICO of a notifiable breach can attract administrative fines of up to:

• £8.7 million, or
• 2% of total worldwide annual turnover for the preceding financial year, whichever is higher.

Separate breaches of other UK GDPR provisions (e.g. inadequate security under Article 32) can attract higher fines of up to £17.5 million or 4% of global turnover. The ICO has issued multi-million-pound fines to organisations including British Airways, Marriott, and Interserve for breach-related failings.

Common Mistakes to Avoid

1. Waiting until you have all the facts: Submit an initial report within 72 hours and update later.
2. Underestimating the scope: Always assume worst-case until proven otherwise during the investigation.
3. Not training staff: Most breaches are first noticed by frontline employees who may not know how to escalate.
4. Forgetting to notify individuals: ICO notification is separate from data subject notification.
5. Poor documentation: An incomplete breach register is itself a UK GDPR violation.
6. Failing to learn from the breach: Conduct a post-incident review and update policies.

How to Prevent Data Breaches in the First Place

Prevention is always cheaper than remediation. Key controls include:

• Strong access controls and the principle of least privilege
• Full-disk encryption on all laptops and portable devices
• Mandatory multi-factor authentication on all accounts
• Regular phishing simulations and staff training
• Patch management and vulnerability scanning
• Secure link sharing — when sending URLs containing tracking or session tokens, use a privacy-respecting shortener like Lunyb to avoid leaking metadata in logs and emails
• Robust backup and disaster recovery testing
• Vendor risk assessments for all data processors

For broader privacy hardening, see our guide on online privacy tips for UK residents. Organisations operating across borders should also review the latest ePrivacy regulations in Ireland if they handle Irish customer data.

Special Cases: Processors, Joint Controllers, and Communications Providers

If You Are a Processor

Processors must notify the controller "without undue delay" after becoming aware of a breach. The controller, not the processor, reports to the ICO.

If You Are a Communications Service Provider

Under the Privacy and Electronic Communications Regulations (PECR), public electronic communications service providers must report all personal data breaches to the ICO within 24 hours — a stricter standard than UK GDPR.

Joint Controllers

Joint controllers should agree in writing which party reports breaches. Both remain legally accountable.

Frequently Asked Questions

Can I report a data breach anonymously to the ICO?

No. Organisations must identify themselves when reporting under Article 33 of the UK GDPR. However, individuals who suspect their data has been mishandled can raise concerns with the ICO without identifying their employer if they are whistleblowers.

What if I miss the 72-hour deadline?

You should still report as soon as possible and explain the reason for the delay. Late reporting is better than no reporting, but the ICO will scrutinise the explanation. Persistent or unreasonable delays significantly increase the risk of enforcement action.

Do I need to report a breach if no one was actually harmed?

The test is whether the breach is likely to result in a risk — not whether harm has materialised. Many notifiable breaches involve potential rather than actual harm. Document your risk assessment carefully if you decide not to report.

Should I tell affected customers before reporting to the ICO?

You can do both in parallel, but the ICO must be notified within 72 hours regardless. In some cases (e.g. ongoing investigations) the ICO may advise on the timing of customer communications to avoid tipping off attackers.

How long does the ICO take to respond?

The ICO typically acknowledges reports within a few working days. Investigations can take weeks or months depending on complexity. Most cases conclude with no formal action, particularly where the organisation responded promptly and transparently.

Does the ICO publish details of reported breaches?

The ICO publishes aggregate statistics and details of cases that result in enforcement action (fines, reprimands, enforcement notices). Routine reports that don't lead to enforcement are not made public.

Final Thoughts

Reporting a data breach to the ICO is stressful, but it is also an opportunity to demonstrate accountability and rebuild trust. The organisations that fare best in the regulator's eyes are those that detect breaches quickly, contain them effectively, report transparently, and learn from the experience. Build a tested incident response plan now — long before you need it — and ensure every member of staff knows who to call when something goes wrong.

If you handle personal data in the UK, treat the 72-hour clock as a permanent feature of your operations. The cost of preparation is trivial compared to the cost of an unreported breach.