How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to report it to the Information Commissioner's Office (ICO). Missing that deadline — or reporting incorrectly — can lead to significant fines and reputational damage. This guide walks you through exactly how to report a data breach to the ICO, what counts as a notifiable breach, and how to handle the process under UK law.
What Is a Data Breach Under UK GDPR?
A personal data breach is a security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This definition comes directly from Article 4(12) of the UK GDPR and is enforced by the Information Commissioner's Office.
Breaches generally fall into three categories:
- Confidentiality breach: unauthorised or accidental disclosure of, or access to, personal data (e.g., an email sent to the wrong recipient).
- Integrity breach: unauthorised or accidental alteration of personal data (e.g., a database record tampered with).
- Availability breach: accidental or unauthorised loss of access to, or destruction of, personal data (e.g., ransomware encrypting customer records).
Importantly, not every breach needs to be reported. Only those likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO.
When Must You Report a Data Breach to the ICO?
You must report a notifiable breach to the ICO without undue delay, and within 72 hours of becoming aware of it. The clock starts the moment your organisation has a reasonable degree of certainty that a security incident has occurred and that personal data is affected.
Notifiable vs Non-Notifiable Breaches
Use this quick checklist to decide if a breach is notifiable:
| Scenario | Notifiable to ICO? | Notify Individuals? |
|---|---|---|
| Encrypted laptop stolen, strong encryption, key safe | Usually No | No |
| Email with customer list sent to wrong recipient | Yes | Possibly |
| Ransomware encrypting customer database | Yes | Likely Yes |
| Lost USB containing names only (no sensitive data) | Possibly No | No |
| Hacker exfiltrates passwords and financial details | Yes | Yes |
| Internal staff accidentally views colleague's file | Usually No | No |
What If You Miss the 72-Hour Deadline?
If you report later than 72 hours, you must provide reasons for the delay. The ICO accepts that some breaches take longer to investigate, but you should still notify as soon as possible and explain why the delay occurred. Failing to report a notifiable breach at all can result in fines of up to £8.7 million or 2% of global annual turnover, whichever is higher.
Step-by-Step: How to Report a Data Breach to the ICO
The ICO offers several reporting routes depending on the severity and your sector. Here is the standard process for most organisations:
- Contain the breach. Before reporting, take immediate action to stop the breach from spreading — isolate compromised systems, revoke credentials, or recover lost devices.
- Assess the risk. Determine the type of data involved, the number of individuals affected, and the potential harm (identity theft, financial loss, distress, discrimination, etc.).
- Decide if it's notifiable. If there's a risk to individuals' rights and freedoms, you must report. If unsure, the ICO recommends erring on the side of caution.
- Gather the required information. Compile facts about what happened, when, how, and the data involved (see the checklist below).
- Submit your report. Use the ICO's online reporting tool at ico.org.uk/for-organisations/report-a-breach, or call the breach helpline on 0303 123 1113 during office hours.
- Notify affected individuals if required. If the breach is likely to result in a high risk to individuals, you must tell them directly and in plain language.
- Document everything. Even non-notifiable breaches must be recorded internally under Article 33(5) of the UK GDPR.
- Follow up with the ICO. If you didn't have all the facts initially, provide updates in phases as your investigation continues.
What Information Does the ICO Need?
When submitting your report, the ICO will ask for specific details. Having these ready in advance can save critical time during the 72-hour window.
Required Information Checklist
- Your organisation's name, ICO registration number, and contact details
- Name and contact details of your Data Protection Officer (DPO), if applicable
- Date and time the breach occurred and was discovered
- A description of the breach (what happened and how)
- Categories of personal data involved (names, addresses, financial info, health data, etc.)
- Approximate number of individuals affected
- Approximate number of data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- Whether affected individuals have been notified, and if not, why
If you don't have all the information within 72 hours, submit what you have and indicate that further details will follow. The ICO calls this a "phased notification".
How to Notify Affected Individuals
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify them directly without undue delay. This is separate from notifying the ICO.
What to Include in Your Notification
- A clear, plain-English description of the breach
- Name and contact details of your DPO or alternative contact
- Likely consequences of the breach
- Steps taken or planned to mitigate possible adverse effects
- Practical advice to help individuals protect themselves (e.g., change passwords, monitor bank statements)
When You Don't Need to Notify Individuals
You may be exempt from notifying individuals if:
- The data was encrypted and remains unintelligible to attackers
- You've taken subsequent measures ensuring the high risk is no longer likely to materialise
- Doing so would involve disproportionate effort — in which case a public communication (e.g., press release, website notice) may suffice
Common Mistakes to Avoid
Reporting a breach under pressure can lead to errors that worsen the situation. Watch out for these pitfalls:
- Waiting too long to start the clock. The 72-hour window begins when you become aware, not when investigation completes.
- Under-reporting. Trying to downplay the breach can backfire if the ICO discovers the full scope later.
- Failing to document non-notifiable breaches. The ICO can ask to see your breach log at any time.
- Notifying individuals before the ICO when high risk applies. Both should happen promptly, but coordinate the messaging.
- Using technical jargon in individual notifications. Use plain English.
- Forgetting that processors must notify controllers immediately. If you're a data processor, your contract likely requires you to inform the controller without delay.
How to Prevent Future Data Breaches
Prevention is always cheaper than remediation. Strong technical and organisational measures (TOMs) reduce both the likelihood and severity of breaches.
Technical Measures
- End-to-end encryption for data at rest and in transit
- Multi-factor authentication (MFA) on all business accounts
- Regular patching and vulnerability management
- Endpoint protection and anti-malware tools
- Secure backups stored offline or in immutable storage
- Network segmentation to limit lateral movement
Organisational Measures
- Annual UK GDPR and security awareness training for all staff
- Clear data retention and minimisation policies
- A documented incident response plan, tested at least annually
- Vendor due diligence and Data Processing Agreements (DPAs)
- Role-based access control (least privilege principle)
Phishing remains one of the leading causes of UK data breaches. Many phishing attempts use disguised or shortened links to lure victims to malicious sites. Using a privacy-focused, transparent URL shortener like Lunyb for your own communications — and training staff to inspect link destinations before clicking — can significantly reduce the chance of credential theft incidents. You can learn more in our honest review of Lunyb or compare options in our 2026 URL shorteners buyer's guide.
What Happens After You Report?
Once your report is submitted, the ICO will acknowledge receipt and assign a case officer if the breach is significant. The investigation process typically follows these stages:
- Initial review: The ICO assesses whether the breach is correctly classified and proportionate measures were taken.
- Information requests: They may ask for additional documentation, such as your incident log, risk assessments, and policies.
- Decision: Outcomes range from "no further action" to formal reprimand, enforcement notice, or monetary penalty.
- Publication: Larger fines and reprimands may be published on the ICO website.
Cooperation, transparency, and demonstrating that you took the breach seriously generally lead to more favourable outcomes. The ICO has stated repeatedly that it values openness over perfection.
Special Cases: Sector-Specific Reporting
Some sectors have additional reporting obligations beyond the ICO:
| Sector | Additional Regulator | Deadline |
|---|---|---|
| Telecoms / ISPs | ICO (under PECR) | 24 hours |
| Financial services | FCA | Without delay |
| Health (NHS) | NHS Digital DSPT | 72 hours |
| Critical infrastructure | NCSC / NIS Regulator | 72 hours |
| Education | DfE (in some cases) | Varies |
If you operate in a regulated sector, build these additional notifications into your incident response plan.
FAQ: Reporting a Data Breach to the ICO
Do I need to report every data breach to the ICO?
No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. However, you must keep an internal record of all breaches, even ones you decide not to report.
What happens if I report a breach more than 72 hours after discovering it?
You can still report, but you must explain the reason for the delay. Late reports without justification may be treated as a separate compliance failure and increase the risk of enforcement action.
Can I report a data breach anonymously?
No. The organisation responsible for the breach (the controller) must identify itself. However, individuals who are victims or whistleblowers can contact the ICO separately and may do so confidentially.
What if the breach was caused by a third-party processor?
The data controller is ultimately responsible for reporting to the ICO. The processor must notify the controller without undue delay so the controller can meet its 72-hour obligation. This responsibility should be set out clearly in your Data Processing Agreement.
How much can the ICO fine my organisation for a breach?
Maximum fines under UK GDPR are £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious infringements. Failure-to-notify breaches specifically carry a maximum of £8.7 million or 2% of turnover. In practice, fines vary enormously based on cooperation, severity, and remediation efforts.
Final Thoughts
Reporting a data breach to the ICO is rarely a pleasant task — but doing it correctly, promptly, and transparently is one of the strongest signals you can send that your organisation takes data protection seriously. Build a robust incident response plan now, train your staff, and keep your breach log up to date. When something does go wrong, you'll have the playbook ready, and the 72-hour clock won't feel quite so menacing.
For ongoing privacy and security best practices, follow the Lunyb blog where our security team regularly publishes practical guides for UK businesses navigating GDPR, cyber threats, and safe link-sharing.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create a QR Code for Your Business: Complete 2026 Guide
QR codes bridge offline marketing and digital experiences at almost zero cost. This complete guide explains how to create a QR code for your business, choose between static and dynamic codes, design for high scan rates, and track performance.
How to Encrypt Your Internet Traffic: The Complete 2026 Guide
Learn how to encrypt your internet traffic with this complete 2026 guide covering VPNs, HTTPS, DNS encryption, Tor, and secure messaging. Protect your privacy with layered defenses and avoid common encryption mistakes.
How to Protect Your Privacy Online in 2026: The Complete Guide
Online privacy in 2026 is more fragile than ever, with AI-driven tracking, deepfake scams, and aggressive data brokers reshaping the threat landscape. This complete guide walks you through the tools, settings, and daily habits you need to take back control of your personal information.
How to Remove Your Data from the Internet: The Complete 2026 Guide
Your personal data is scattered across the internet on data broker sites, social media, and old accounts. This complete 2026 guide walks you through every step to delete your information, opt out of brokers, and protect your privacy long-term.