facebook-pixel
L
Lunyb

How to Report a Data Breach to the ICO: A Complete UK Guide

L
Lunyb Security Team
··10 min read

If your organisation suffers a personal data breach, UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO). Miss the deadline, downplay the incident, or fail to document it properly, and you could face fines of up to £17.5 million or 4% of global annual turnover. This guide explains exactly how to report a data breach to the ICO, what counts as a reportable breach, and how to handle the process without making the situation worse.

What Is a Personal Data Breach Under UK GDPR?

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is not limited to hacks or cyberattacks — a lost laptop, an email sent to the wrong recipient, or a misconfigured database can all qualify.

The ICO recognises three broad categories of breach:

  • Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
  • Integrity breach — unauthorised or accidental alteration of personal data.
  • Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data (including ransomware lockouts).

Examples of Reportable Breaches

  • An employee email account is compromised in a phishing attack.
  • A spreadsheet of customer details is sent to the wrong distribution list.
  • A backup tape or unencrypted USB stick goes missing.
  • A web application bug exposes user records to the public internet.
  • Ransomware encrypts a system containing personal data, even if no exfiltration occurred.

Do You Actually Need to Report It to the ICO?

Not every breach must be reported. Under Article 33 of the UK GDPR, you must notify the ICO only when the breach is likely to result in a risk to the rights and freedoms of individuals. If the risk is unlikely, you don't need to report — but you must still record it internally.

Risk Assessment Factors

To decide whether a breach is reportable, consider:

  1. Type of breach — confidentiality breaches involving sensitive data are usually higher risk.
  2. Nature and volume of data — health, financial, or special category data raises the stakes.
  3. Ease of identifying individuals — was the data encrypted, pseudonymised, or in plain text?
  4. Severity of consequences — could it lead to identity theft, fraud, discrimination, or reputational harm?
  5. Number of people affected — a breach affecting 10,000 customers is treated differently from one affecting two.
  6. Vulnerability of the individuals — children's or patients' data warrants extra caution.

When You Must Also Notify Affected Individuals

If the breach is likely to result in a high risk to people's rights and freedoms, you must also tell the affected individuals "without undue delay" (Article 34). This is a higher bar than the ICO threshold, but in practice many serious breaches will trigger both obligations.

The 72-Hour Rule: When the Clock Starts

You must report a notifiable breach to the ICO within 72 hours of becoming aware of it. "Aware" means you have a reasonable degree of certainty that a security incident has occurred and that it has compromised personal data — not the moment the breach itself happened.

The 72 hours include weekends and bank holidays. If you can't provide all the required information within the deadline, you can submit an initial report and follow up in phases — this is explicitly permitted by Article 33(4).

Step-by-Step: How to Report a Data Breach to the ICO

Step 1: Contain and Assess

Before reporting, take immediate action to limit the damage:

  • Isolate affected systems or revoke compromised credentials.
  • Recall misdirected emails where possible.
  • Engage your IT, security, and legal teams.
  • Preserve logs and evidence — don't wipe systems prematurely.

Step 2: Document Everything

Even non-reportable breaches must be logged. Maintain a breach register with:

  • Date and time the breach was discovered.
  • Description of what happened and how.
  • Categories and approximate number of data subjects affected.
  • Categories and approximate number of records affected.
  • Likely consequences.
  • Mitigation measures taken or planned.
  • Decision on whether to notify the ICO and individuals — with reasoning.

Step 3: Choose How to Report

The ICO offers several reporting channels depending on the type of breach:

Breach Type How to Report Best For
General personal data breach Online self-assessment and reporting tool at ico.org.uk Most organisations
Urgent or complex breach ICO helpline: 0303 123 1113 (option 3) Live incidents requiring guidance
PECR breach (electronic communications) Separate PECR breach form Telecoms and ISPs
Trust service provider breach eIDAS breach reporting form Qualified trust providers

Step 4: Complete the Online Breach Report

The ICO's online form walks you through a structured set of questions. Be ready with:

  1. Your organisation's details — name, ICO registration number, sector, contact details for the Data Protection Officer (DPO) or named contact.
  2. Breach summary — when it occurred, when you became aware, and how it was discovered.
  3. Cause — cyberattack, human error, lost device, insider, etc.
  4. Data categories — names, contact details, financial data, special category data, etc.
  5. Number of data subjects and records affected — provide ranges if exact figures aren't available yet.
  6. Likely consequences — financial loss, identity theft, distress, etc.
  7. Mitigation — what you've done and what's planned.
  8. Whether individuals have been informed — and if not, why not.

Step 5: Submit and Save the Reference Number

After submission, the ICO sends a confirmation with a case reference. Keep this with your breach record. The ICO may follow up with questions or request additional information.

Step 6: Notify Affected Individuals (If Required)

If the breach poses a high risk, contact affected individuals in clear, plain language. Tell them:

  • The nature of the breach.
  • The likely consequences.
  • Measures taken or proposed to address it.
  • Steps they can take to protect themselves (e.g., change passwords, monitor bank statements).
  • Contact details for the DPO or breach contact.

What Happens After You Report?

The ICO triages every report. Most cases are closed with no further action if your response was reasonable. In more serious cases, the ICO may:

  • Request additional information or evidence.
  • Issue an information notice or assessment notice.
  • Conduct an audit.
  • Issue a reprimand, enforcement notice, or monetary penalty.

Cooperating fully and demonstrating that you took the breach seriously is the single biggest factor in reducing potential penalties. The ICO's published decisions show that organisations which self-report promptly and remediate effectively are treated far more leniently than those that delay or obfuscate.

Common Mistakes That Lead to Bigger Fines

1. Missing the 72-Hour Deadline Without Justification

Late reports must include reasons for the delay. "We were still investigating" is not enough — you should submit a partial report and update later.

2. Underestimating the Scope

Reporting "around 100 records" when the true number is 100,000 looks like concealment. Use ranges and update them as the investigation progresses.

3. Failing to Inform Individuals When Required

The ICO has fined multiple organisations specifically for failing to notify data subjects of high-risk breaches.

4. No Documented Risk Assessment

If you decide a breach isn't reportable, you must record why. The ICO can ask to see your assessment at any time.

5. Weak Underlying Security

Many fines are issued not for the breach itself but for the underlying failures — unpatched systems, no MFA, weak passwords, or shared admin accounts. A breach often exposes pre-existing non-compliance.

Reducing Breach Risk: Practical Prevention

The best breach response is not having one in the first place. Core controls the ICO expects to see include:

  • Multi-factor authentication on all remote and admin access.
  • Encryption of data at rest and in transit.
  • Regular patching and vulnerability management.
  • Role-based access control with the principle of least privilege.
  • Staff training on phishing and data handling — most reported breaches still stem from human error.
  • Tested incident response and business continuity plans.
  • Careful management of shared links and short URLs. Public link sharing is a common source of accidental disclosure, so use a privacy-focused shortener like Lunyb with password protection and expiry dates rather than open public links.
  • Vetting of processors and third parties under Article 28 contracts.

For more on choosing privacy-respecting tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.

Special Cases

Breaches at a Processor

If your processor (e.g., a SaaS vendor) suffers a breach involving your data, they must notify you "without undue delay". The 72-hour clock for the controller starts when the controller becomes aware — usually when the processor tells you. Make sure your data processing agreements specify rapid notification.

Cross-Border Breaches

If the breach affects individuals in the EU as well as the UK, you may need to notify the ICO and one or more EU supervisory authorities. The UK is no longer part of the GDPR "one-stop-shop".

Cyber Incidents and the NCSC

For significant cyberattacks, also consider reporting to the National Cyber Security Centre (NCSC) and Action Fraud. These reports do not replace your ICO obligation but can support investigation and recovery.

Frequently Asked Questions

What is the deadline to report a data breach to the ICO?

You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. The clock includes weekends and bank holidays. If you cannot provide all the details in time, submit an initial report and follow up in phases.

What happens if I don't report a data breach?

Failing to report a notifiable breach can result in fines of up to £8.7 million or 2% of global annual turnover (whichever is higher) under UK GDPR — separate from any fine for the breach itself. The ICO may also issue reprimands, enforcement notices, or audit your organisation.

Do I need to report every data breach?

No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. However, you must record every breach internally — including the reasoning for not reporting — so the ICO can review your assessment if asked.

How do I report a data breach to the ICO?

Use the ICO's online breach reporting tool at ico.org.uk for most cases, or call 0303 123 1113 (option 3) for urgent or complex incidents. You'll need details of the breach, affected data, number of individuals impacted, and mitigation steps taken.

Can I be fined even if I report the breach promptly?

Yes, but it's far less likely. Prompt self-reporting and effective remediation are mitigating factors the ICO weighs heavily. Most fines are issued for the underlying security failures or for failure to notify — not for the breach itself when it has been handled responsibly.

Should I tell my customers about a breach?

If the breach is likely to result in a high risk to their rights and freedoms — for example, exposure of passwords, financial data, or special category data — you must inform them without undue delay. Communicate in plain language and tell them what they can do to protect themselves.

Final Thoughts

Reporting a data breach to the ICO is stressful, but the framework is designed to be workable. The organisations that come out best are those that prepare in advance: a documented incident response plan, a trained team, clear roles, and tested escalation paths. Treat the 72-hour rule as a forcing function, not a finish line — the goal is honest, well-evidenced communication with the regulator and the people whose data you hold.

Get the basics right, document your decisions, and report early rather than late. The ICO is far more interested in seeing accountability in action than in punishing organisations that handle a bad day responsibly.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles

How to Encrypt Your Internet Traffic: The Complete 2026 Guide

Learn how to encrypt your internet traffic across every layer — HTTPS, DNS, VPN, Tor, email, and Wi-Fi. This step-by-step 2026 guide shows you exactly which tools to use and how to combine them for total online privacy.

8 min

How to Remove Your Data from the Internet: Complete 2026 Guide

Your personal information is scattered across hundreds of websites, data broker databases, and search engines. This complete guide shows you exactly how to remove your data from the internet, reduce your digital footprint, and reclaim your online privacy in 2026.

9 min

How to Protect Your Privacy Online in 2026: The Complete Guide

Online privacy in 2026 is harder than ever, with AI scrapers, data brokers, and tracking pixels everywhere. This complete guide walks you through the practical, modern steps to lock down your accounts, browser, devices, and personal data.

8 min

How to Create a QR Code for Your Business: Complete 2026 Guide

Learn how to create a QR code for your business in 2026 with this complete step-by-step guide. Covers static vs. dynamic codes, design best practices, security, tracking, and common mistakes to avoid.

9 min