How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR requires you to act fast. In most cases, you have just 72 hours to report a notifiable breach to the Information Commissioner's Office (ICO). Miss that deadline, fail to document the incident properly, or get the assessment wrong, and you could face fines of up to £17.5 million or 4% of global annual turnover.
This guide walks you through exactly how to report a data breach to the ICO, what counts as notifiable, what information you'll need, and how to handle communications with affected individuals. Whether you're a data protection officer, an IT manager, or a small business owner, this article gives you a practical roadmap to staying compliant.
What Is a Personal Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. In short, it's any event that compromises the confidentiality, integrity, or availability of personal information your organisation holds.
Examples of personal data breaches include:
- A laptop containing customer records is stolen or lost.
- An employee accidentally emails a spreadsheet of personal data to the wrong recipient.
- A ransomware attack encrypts files containing personal information.
- A misconfigured cloud storage bucket exposes records to the public internet.
- Paper files are disposed of without proper shredding.
- A phishing attack gives an attacker access to staff email accounts.
Not every breach must be reported to the ICO, but every breach must be assessed and documented internally, regardless of severity.
When Must You Report a Data Breach to the ICO?
You must report a breach to the ICO without undue delay, and no later than 72 hours after becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals. The 72-hour clock starts the moment you have a reasonable degree of certainty that a breach has occurred, not when you finish investigating it.
Notifiable vs. Non-Notifiable Breaches
To decide whether a breach is notifiable, ask: could this incident result in physical, material, or non-material damage to individuals? That includes identity theft, financial loss, damage to reputation, discrimination, or loss of confidentiality.
| Scenario | Notifiable to ICO? | Notify Individuals? |
|---|---|---|
| Encrypted laptop lost (strong encryption, key safe) | Usually no | No |
| Unencrypted USB with customer data lost | Yes | Likely yes |
| Email with names sent to wrong internal recipient | Usually no | No |
| Database of medical records exposed online | Yes (high risk) | Yes |
| Ransomware encrypts data with no backup | Yes (availability loss) | Depends on impact |
| Phishing attack exposes payroll data | Yes | Likely yes |
The 72-Hour Deadline Explained
If you can't gather all the facts within 72 hours, that's okay. The ICO allows phased reporting: submit what you know initially, then provide further information as your investigation progresses. What you cannot do is delay reporting because you haven't finished the investigation.
Step-by-Step: How to Report a Data Breach to the ICO
Here is the practical, sequential process for reporting a notifiable breach in the UK:
- Contain the breach. Take immediate action to stop further data loss. This may mean isolating systems, revoking credentials, recovering lost devices, or recalling emails.
- Convene your incident response team. Involve your Data Protection Officer (if you have one), IT/security lead, legal counsel, and senior management.
- Assess the risk. Identify what data was affected, how many individuals, the likelihood of harm, and the severity. Document your reasoning.
- Decide if it's notifiable. If there is any risk to individuals, lean toward reporting. The ICO would rather hear about a borderline case than discover an unreported breach later.
- Submit the report to the ICO. Use the ICO's online Report a Breach form at ico.org.uk, or call their breach helpline on 0303 123 1113 (option 3) for serious incidents.
- Notify affected individuals if required. If the breach is high risk, contact those affected without undue delay in clear, plain language.
- Document everything. Maintain an internal breach log covering facts, effects, and remedial action — even for non-notifiable incidents.
- Review and improve. Conduct a post-incident review and update policies, training, and controls accordingly.
What Information You Need to Report
The ICO's breach report form asks for specific details. Having these ready will speed up the process and reduce the chance of follow-up queries.
Required Information Checklist
- The nature of the breach, including categories and approximate number of individuals affected.
- The categories and approximate number of personal data records concerned.
- The name and contact details of your Data Protection Officer or other contact point.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate adverse effects.
- When the breach occurred and when you became aware of it.
- The cause of the breach (if known).
- Whether you have notified, or plan to notify, affected individuals.
Categories of Personal Data the ICO Asks About
The ICO will ask which types of data were involved. Categories typically include basic personal identifiers (name, address), financial data, identification data (passport, NI number), economic or social data, official documents, location data, online identifiers, and special category data (health, religion, biometrics, sexual orientation, etc.).
How to Submit the Report
You have three main routes to report a breach to the ICO:
1. Online Reporting Form
This is the preferred method for most organisations. Visit ico.org.uk and navigate to "Report a breach." The form is structured around the categories above and walks you through each step. You'll receive a reference number once submitted — keep it safe.
2. Telephone Reporting
For urgent or high-risk breaches, ring the ICO breach helpline on 0303 123 1113 (Monday to Friday, 9am to 5pm). Press option 3 for the personal data breach helpline. A caseworker can guide you through reporting in real time.
3. Reporting Other Types of Breaches
Different rules apply to certain sectors. Telecoms and internet service providers report under PECR. Trust service providers report under eIDAS. NIS-regulated digital service providers and operators of essential services have separate reporting routes. Always check whether sector-specific obligations apply alongside UK GDPR.
Notifying Affected Individuals
If a breach is likely to result in a high risk to individuals, you must inform them directly and without undue delay. "High risk" means a higher threshold than the one for reporting to the ICO — typically where the breach could lead to significant harm.
What to Tell Individuals
Your communication to affected individuals must be in clear, plain language and include:
- A description of the nature of the breach.
- The name and contact details of your DPO or contact point.
- The likely consequences of the breach.
- The measures you've taken or propose to take to mitigate it.
- Practical advice on what they can do to protect themselves (e.g., change passwords, monitor accounts, watch for phishing).
When you direct people to recovery pages, password reset links, or guidance documents, use trustworthy, branded short links rather than long, suspicious-looking URLs. A service like Lunyb lets you create clean, trackable links that are less likely to be flagged as phishing — which matters when affected customers are already on edge.
When You Don't Have to Notify Individuals
You may be exempt from notifying individuals if:
- The data was encrypted or otherwise rendered unintelligible to unauthorised parties.
- You have taken subsequent measures that mean the high risk is no longer likely to materialise.
- Direct notification would involve disproportionate effort — in which case a public communication (e.g., a press release or website notice) is acceptable.
Penalties for Failing to Report
Failing to report a notifiable breach within 72 hours is itself a breach of UK GDPR. The ICO can issue fines of up to £8.7 million or 2% of global annual turnover, whichever is higher, for failure to notify. More serious infringements (such as unlawful processing) attract the higher tier of up to £17.5 million or 4%.
Beyond fines, unreported breaches that come to light later attract reputational damage, regulatory scrutiny, civil claims from affected individuals, and loss of customer trust. The ICO has consistently said that organisations which self-report promptly and cooperate are treated more leniently than those that try to hide incidents.
Building a Breach Response Plan
The best time to prepare for a breach is long before one happens. Every organisation that processes personal data should have a documented incident response plan covering:
- Detection and reporting channels — how staff report suspected incidents internally.
- Roles and responsibilities — who decides, who investigates, who communicates.
- Risk assessment templates — to evaluate severity and notifiability quickly.
- Communication templates — pre-drafted notifications for the ICO and individuals.
- Escalation paths — when to involve legal, PR, law enforcement, or cyber insurance.
- Recovery procedures — to restore services and remediate vulnerabilities.
- Post-incident review — to capture lessons learned.
Test your plan at least annually with a tabletop exercise. The middle of an actual breach is not the time to learn that your DPO's phone number is out of date.
Tools and Resources to Strengthen Your Posture
Good breach response starts with good data security hygiene. Encrypt sensitive data at rest and in transit, enforce multi-factor authentication, run regular phishing simulations, and minimise the personal data you hold in the first place. For practical reading on online security and digital tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb, which cover privacy-friendly link management practices.
Common Mistakes to Avoid
Even well-prepared organisations make avoidable errors during breach response. Watch out for these:
- Waiting until the investigation is complete. Report what you know within 72 hours; you can update later.
- Under-reporting scope. Don't downplay numbers to look better — accuracy matters more than optics.
- Forgetting the internal log. Even non-notifiable breaches must be documented.
- Inconsistent messaging. Coordinate between PR, legal, and customer service so affected individuals don't receive contradictory information.
- Skipping the post-mortem. Without lessons learned, you'll just repeat the same mistakes.
- Assuming encryption is a silver bullet. Encryption helps, but if keys are compromised or systems were accessed while unlocked, the data is still exposed.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
You must report a notifiable personal data breach to the ICO without undue delay, and no later than 72 hours after becoming aware of it. If you can't provide all the information at once, you can submit a partial report and follow up with further details as your investigation progresses.
What happens if I report a breach late?
Late reporting is itself a regulatory infringement. You must explain the reasons for the delay when submitting the report. The ICO may take enforcement action, including fines of up to £8.7 million or 2% of global annual turnover for failure to notify on time.
Do I need to report every data breach?
No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. However, you must internally document every breach, including the facts, effects, and remedial action — even ones you decide not to report — so the ICO can verify your decision-making.
What's the difference between reporting to the ICO and notifying individuals?
The thresholds are different. You must report to the ICO when there is any risk to individuals. You only have to notify the affected individuals when the breach is likely to result in a high risk to their rights and freedoms — a higher bar that usually means significant potential harm such as identity theft or financial loss.
Can I report a breach anonymously?
No. The ICO requires the name and contact details of your organisation and a designated contact point (typically the DPO). Anonymous reporting is not an option for data controllers. If you are a member of the public reporting concerns about another organisation, you can use the ICO's separate complaint route.
What if the breach happened at a third-party processor?
As the data controller, you remain responsible for reporting to the ICO. Your processor must notify you without undue delay after becoming aware of a breach, and your contracts should reflect this. The 72-hour clock for you starts when the processor informs you of the incident.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create Branded Short Links: A Complete Step-by-Step Guide
Branded short links replace generic URLs with your own custom domain, boosting trust and click-through rates. This step-by-step guide shows you how to choose a domain, connect it to a URL shortener, and create professional branded links in under 10 minutes.
How to Set Up Link Retargeting: The Complete 2026 Guide
Link retargeting lets you build advertising audiences from anyone who clicks your shortened URLs—even links to third-party content. This guide walks you through setting up retargeting pixels, creating shortened links, and launching campaigns that convert.
How to Check if a Link Is Safe Before Clicking: 2026 Guide
Learn how to check if a link is safe before clicking with this practical 2026 guide. Discover red flags, free scanner tools like VirusTotal, mobile checking tips, and what to do if you already clicked a suspicious URL.
How to Report a Data Breach to PDPC Singapore: Complete 2026 Guide
A complete step-by-step guide to reporting a data breach to PDPC under Singapore's PDPA. Learn what counts as notifiable, the 3-day and 30-day timelines, penalties, and best practices for staying compliant in 2026.