How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation suffers a personal data breach, UK GDPR gives you just 72 hours to report it to the Information Commissioner's Office (ICO). Miss that window, get the facts wrong, or fail to notify affected individuals when required, and you risk fines of up to £17.5 million or 4% of global annual turnover. This guide walks you through exactly how to report a data breach to the ICO, what counts as a notifiable incident, and how to handle the aftermath.
What Is a Personal Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is broader than just a cyberattack — it covers human error, lost devices, misdirected emails, and even ransomware that simply makes data unavailable.
The ICO recognises three categories of breach:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
Examples include a stolen laptop containing customer records, an email sent to the wrong recipient with attached payroll data, a ransomware attack encrypting your CRM, or a developer accidentally exposing a database to the public internet.
Do You Actually Need to Report It to the ICO?
Not every breach requires notification. Under Article 33 of the UK GDPR, you must report a breach to the ICO unless it is unlikely to result in a risk to the rights and freedoms of natural persons. If in doubt, report it — under-reporting is treated far more harshly than over-reporting.
When You Must Report
- Financial data, login credentials, or payment information has been exposed.
- Special category data (health, biometrics, ethnicity, sexual orientation, religion) is involved.
- Large volumes of personal data are affected.
- Vulnerable individuals (children, victims of abuse) could be harmed.
- The breach could lead to identity theft, fraud, reputational damage, or discrimination.
When You Probably Don't Need to Report
- The data was strongly encrypted and the key remains secure.
- Only minimal, non-sensitive data was affected (e.g., a single business email address).
- The data was recovered quickly with no evidence of access.
Even if you decide not to notify the ICO, you must document the breach internally, including your reasoning. The ICO can ask to see your breach log at any time.
The 72-Hour Rule Explained
The clock starts the moment you become "aware" of the breach — meaning you have a reasonable degree of certainty that a security incident has occurred and personal data has been affected. It does not start when the breach happened, nor does it pause at weekends or bank holidays.
If you cannot provide all the information within 72 hours, submit what you have and explain that further details will follow in phases. The ICO accepts phased reporting; it does not accept silence.
Step-by-Step: How to Report a Data Breach to the ICO
Step 1: Contain the Breach
Before reporting, take immediate action to limit damage. Disconnect compromised systems, revoke credentials, recall misdirected emails, or remotely wipe lost devices. Preserve evidence — logs, screenshots, and email headers — for both the ICO and any subsequent forensic investigation.
Step 2: Assess the Risk
Document what happened, what data is involved, how many people are affected, and the likely consequences. The ICO will expect you to explain your risk assessment, so be thorough. Consider:
- The type and sensitivity of the data.
- The ease of identifying individuals from the data.
- The severity of potential consequences.
- Whether the data was encrypted or pseudonymised.
- The number of affected individuals.
Step 3: Choose the Right Reporting Channel
The ICO offers several reporting routes depending on the type of incident:
| Breach Type | How to Report | Hours |
|---|---|---|
| Personal data breach (general) | Online form at ico.org.uk or call 0303 123 1113 | Mon–Fri, 9am–5pm |
| Cyber incident | Dedicated cyber breach online form | 24/7 online submission |
| PECR breach (e-marketing, cookies) | Separate PECR security breach form | Online |
| Communications service provider | Telecoms-specific reporting route | Online |
Step 4: Complete the Online Form
The ICO's online breach reporting form will ask for:
- Your organisation's name, ICO registration number, and contact details.
- A description of the breach — what happened, when, and how it was discovered.
- Categories and approximate number of data subjects affected.
- Categories and approximate number of personal data records affected.
- The likely consequences for individuals.
- Measures taken or proposed to address the breach and mitigate harm.
- Whether you have notified affected individuals (and if not, why).
- Your Data Protection Officer's contact details (if applicable).
Step 5: Notify Affected Individuals (If Required)
Under Article 34, if the breach is likely to result in a high risk to individuals' rights and freedoms, you must inform them without undue delay. The notification must be in clear, plain language and include:
- The nature of the breach.
- The name and contact details of your DPO or a contact point.
- Likely consequences.
- Steps taken or planned to address the breach.
- Advice on what individuals can do to protect themselves.
Step 6: Document Everything
Keep a detailed internal breach register, even for incidents you did not report. Include facts, effects, and remedial actions. This is a legal requirement, and the ICO regularly asks to see it during investigations and audits.
What Happens After You Report?
Once submitted, the ICO will acknowledge your report (usually within seven days) and assign a case officer if the incident warrants further investigation. They may:
- Take no further action if your response was adequate.
- Request additional information or evidence.
- Issue formal advice or a reprimand.
- Open a formal investigation leading to enforcement action.
- Impose a monetary penalty (fine).
Cooperation, transparency, and a clear remediation plan significantly reduce the likelihood of a fine. The ICO has repeatedly stated that organisations which self-report promptly and act decisively are treated more leniently than those that conceal or delay.
Penalties for Non-Compliance
Failing to report a notifiable breach within 72 hours, or failing to notify affected individuals, is itself a separate infringement. Penalties fall into two tiers:
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Standard | £8.7 million or 2% of global turnover | Failure to report a breach, poor record-keeping |
| Higher | £17.5 million or 4% of global turnover | Breaches of core data protection principles or individual rights |
Real-world examples include British Airways (£20 million originally proposed, reduced to £20m then settled), Marriott (£18.4 million), and Interserve (£4.4 million for failing to keep employee data secure).
Common Mistakes to Avoid
- Delaying the clock by claiming you weren't "sure" a breach had occurred. The ICO sees through this.
- Under-reporting numbers in the initial submission. Use ranges and update later.
- Forgetting to notify individuals when high risk exists.
- Poor internal communication — staff should know who to alert and how.
- No documentation of breaches you chose not to report.
- Ignoring the supply chain — processor breaches must also be reported by the controller.
How to Reduce Breach Risk in the First Place
Prevention is far cheaper than remediation. Practical measures include:
- Encrypt personal data at rest and in transit.
- Enforce multi-factor authentication on all business accounts.
- Train staff to recognise phishing and social engineering.
- Run regular penetration tests and vulnerability scans.
- Limit data retention — you can't lose what you don't hold.
- Be cautious when sharing links externally. Use a privacy-focused link manager such as Lunyb to create trackable, revocable short URLs that don't leak sensitive parameters or referrer data when sharing internal resources.
- Maintain an up-to-date incident response plan and rehearse it annually.
For organisations that share marketing or internal links at scale, choosing a tool with strong privacy controls is part of a layered defence. See our 2026 buyer's guide to URL shorteners for a comparison of options with GDPR-compliant data handling.
Special Cases
Breaches Involving Processors
If your data processor (e.g., a cloud provider) suffers a breach, they must notify you "without undue delay". The 72-hour clock for you begins when the processor informs you. Make sure your data processing agreements specify rapid notification timelines.
Cross-Border Breaches
If you process data of individuals in the EU as well as the UK, you may also need to notify the relevant EU lead supervisory authority under EU GDPR. The ICO and EU regulators no longer operate the one-stop-shop together post-Brexit, so dual reporting may be required.
Cyber-Specific Obligations
Operators of essential services and digital service providers under the NIS Regulations have separate reporting duties to the ICO or other competent authorities, with different thresholds and timelines.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. If you cannot provide all the details in that window, you can submit an initial report and follow up in phases, explaining the reasons for any delay.
What if I'm not sure whether to report?
If you genuinely cannot decide, the ICO's guidance is to err on the side of reporting. You can also call the ICO breach helpline on 0303 123 1113 for confidential advice. Document your decision-making process either way.
Do I need to tell my customers about every breach?
No. You only need to notify affected individuals when the breach is likely to result in a high risk to their rights and freedoms. Lower-risk breaches still require ICO notification (where applicable) but not individual notification.
Can I be fined just for reporting late?
Yes. Late reporting is itself an infringement under UK GDPR, with fines of up to £8.7 million or 2% of global turnover. However, the ICO usually treats late but voluntary reports more leniently than breaches it discovers independently.
What records do I need to keep?
You must maintain an internal breach register documenting the facts, effects, and remedial actions for every personal data breach — even those you did not report to the ICO. There is no prescribed format, but it must be sufficient to demonstrate compliance with Article 33(5).
Final Thoughts
Reporting a data breach to the ICO is stressful, but the process is well-defined. Move quickly, document everything, be honest about what you know and don't know, and prioritise the people affected. Organisations that handle breaches transparently typically emerge with their reputation intact — and often a stronger security posture than before. Build the muscle memory now, before you need it: write your incident response plan, run a tabletop exercise this quarter, and make sure every employee knows the first phone number to dial when something goes wrong.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create a QR Code for Your Business: A Complete 2026 Guide
QR codes are one of the simplest yet most powerful tools for connecting offline marketing to digital experiences. This step-by-step guide shows you how to create a QR code for your business, choose the right type, design it for maximum scans, and measure its performance in 2026.
How to Protect Your Privacy Online in 2026: The Complete Guide
Online privacy in 2026 demands more than just a strong password. This complete guide walks you through the tools, settings, and habits that protect your data from AI scraping, data brokers, and modern tracking. Learn step-by-step how to take back control of your digital life.
How to Encrypt Your Internet Traffic: A Complete 2026 Guide
Encrypting your internet traffic is one of the most effective ways to protect your privacy, secure sensitive data, and prevent surveillance. This guide walks you through every practical method, from VPNs and HTTPS to encrypted DNS and Tor.
How to Remove Your Data from the Internet: Complete 2026 Guide
Your personal information is scattered across hundreds of websites, data broker databases, and social platforms. This comprehensive guide walks you through every step to remove your data from the internet and reclaim your digital privacy in 2026.