How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO). Miss the deadline or get the report wrong, and you could face fines of up to £17.5 million or 4% of global annual turnover. This guide walks you through exactly how to report a data breach to the ICO, what counts as a notifiable breach, and how to handle the aftermath properly.
What Is a Personal Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to hacking incidents — losing a USB stick, sending an email to the wrong recipient, or having a laptop stolen all qualify.
The UK GDPR (as retained in UK law after Brexit) and the Data Protection Act 2018 set out three broad categories of breach:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
A ransomware attack, for example, can fall into all three categories at once.
When Must You Report a Data Breach to the ICO?
You must notify the ICO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The clock starts when you have a reasonable degree of certainty that a security incident has occurred and that personal data is affected — not when the investigation finishes.
Breaches You Must Report
Notify the ICO if the breach could result in any of the following:
- Loss of control over personal data
- Discrimination, identity theft or fraud
- Financial loss
- Damage to reputation
- Loss of confidentiality of data protected by professional secrecy
- Any other significant economic or social disadvantage to the individual
Breaches You Do Not Need to Report
You do not need to notify the ICO if the breach is unlikely to pose a risk. For example, if an employee's encrypted laptop is stolen but the encryption is strong and the keys are not compromised, the risk to data subjects is low.
Even when you do not report to the ICO, you must still document the breach internally. The ICO can ask to see your breach log during any audit.
Do You Also Need to Tell the Affected Individuals?
If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform them directly, without undue delay. This is a higher threshold than the ICO notification threshold. Communication to affected individuals should be in clear and plain language and include:
- A description of the nature of the breach
- The name and contact details of your Data Protection Officer (DPO) or another contact point
- The likely consequences of the breach
- The measures taken or proposed to address it, including steps to mitigate adverse effects
How to Report a Data Breach to the ICO: Step-by-Step
The ICO offers several reporting channels. Most organisations use the online self-assessment and reporting tool. Here is the process from start to finish.
Step 1: Contain the Breach
Before you report, take immediate action to limit damage. Disconnect compromised systems, revoke leaked credentials, recall misaddressed emails, and preserve evidence for forensic review. Containment does not delay your 72-hour reporting clock, but documenting it strengthens your submission.
Step 2: Assess the Risk
Use the ICO's self-assessment tool at ico.org.uk/for-organisations/report-a-breach. It asks structured questions about:
- The type of personal data involved (basic identifiers, financial, health, special category data, children's data)
- The volume of records affected
- The category and number of data subjects
- Whether the data was encrypted or pseudonymised
- The likely consequences for individuals
Step 3: Gather the Required Information
The ICO will expect you to provide:
- Your organisation details — name, ICO registration number, sector, and DPO contact.
- Breach description — what happened, when, and how you discovered it.
- Data categories — what types of personal data were involved.
- Number of individuals affected — even an estimate is acceptable.
- Likely consequences — financial, reputational, physical, or emotional harm.
- Mitigation measures — what you have done and plan to do.
- Whether you have told affected individuals and how.
Step 4: Submit the Report
You have three main reporting channels:
- Online form — the fastest method, available 24/7 via the ICO website.
- Telephone — call the ICO helpline on 0303 123 1113 (Monday to Friday, 9am–5pm). Useful for live, complex incidents.
- Out-of-hours — for breaches discovered outside working hours, submit the online form and follow up by phone the next working day.
Step 5: Handle Delayed or Incomplete Reports
If you cannot provide all information within 72 hours, submit what you have and explain the delay. You can then submit additional information in phases as your investigation progresses. The ICO accepts this — what they do not accept is silence past the deadline.
Information the ICO Will Ask For: Quick Reference
| Category | Examples of What to Provide |
|---|---|
| Nature of breach | Cyber-attack, insider error, lost device, misdirected email |
| Data categories | Names, addresses, financial data, health records, special category data |
| Volume | Number of records and individuals affected (estimate if needed) |
| Discovery | How and when you became aware of the breach |
| Consequences | Likely harm to data subjects |
| Mitigation | Containment actions, technical fixes, communications plan |
| Notifications | Whether and how you have informed affected individuals |
What Happens After You Report?
The ICO will acknowledge your submission and assign a case reference. Depending on severity, they may:
- Take no further action — common for well-handled, low-impact incidents.
- Request more information — usually within a few weeks.
- Issue guidance or recommendations — for example, on improving your security posture.
- Open a formal investigation — reserved for serious, repeated, or poorly handled breaches.
- Impose enforcement action — reprimands, enforcement notices, or monetary penalties.
Cooperate fully and respond to ICO correspondence promptly. Defensive or evasive responses tend to escalate matters.
Common Mistakes to Avoid
Even experienced data controllers fall into avoidable traps when reporting breaches. Watch out for these:
Underestimating the 72-Hour Clock
The deadline runs from awareness, not from full investigation. Many organisations delay reporting hoping to gather complete details and end up missing the window. Submit a partial report on time and add detail later.
Failing to Document Non-Reportable Breaches
Even if you decide a breach is below the threshold, you must record your reasoning. The ICO can request your internal breach register at any time.
Confusing Processor and Controller Duties
If you are a processor (e.g. a SaaS vendor), you must notify the controller without undue delay. The controller, not the processor, reports to the ICO. Make sure your data processing agreements spell out timelines.
Forgetting to Notify Individuals
Reporting to the ICO is not the same as informing affected individuals. If the risk is high, both are required.
Treating the ICO as Adversarial
The ICO consistently states that organisations that report promptly and demonstrate accountability receive more favourable treatment than those that try to hide or downplay incidents.
Penalties for Failing to Report
Under UK GDPR, failure to notify the ICO within 72 hours can result in administrative fines of up to £8.7 million or 2% of global annual turnover, whichever is higher. More serious breaches of the regulation — for example, inadequate security measures that caused the breach — can attract fines of up to £17.5 million or 4% of turnover.
Recent ICO enforcement actions have made clear that the regulator focuses on:
- Lack of basic security hygiene (unpatched systems, weak access controls)
- Inadequate staff training
- Poor or delayed breach response
- Failure to honour data subject rights post-breach
How to Reduce Your Risk of a Breach
Prevention is always cheaper than notification. A strong baseline includes:
- Encrypt data at rest and in transit — encryption can reduce or eliminate the need to notify if keys remain secure.
- Enforce multi-factor authentication on all administrative and remote access accounts.
- Patch promptly — most successful attacks exploit known vulnerabilities.
- Train staff on phishing, secure email practices, and data handling.
- Audit shared links and external sharing — misconfigured cloud links are a leading cause of accidental disclosure. Tools like Lunyb let you create trackable, revocable short links so you can monitor and disable shared URLs the moment something looks wrong.
- Maintain an up-to-date breach response plan with named roles and a tested communication tree.
- Review processors and vendors annually — a breach at a supplier is still your breach to report.
If you work with shortened URLs for marketing or internal sharing, choosing a privacy-respecting provider matters. Our 2026 buyer's guide to URL shorteners compares the main options on data handling, while our honest review of Lunyb covers how its tracking and revocation features can support breach prevention.
Building a Breach Response Playbook
The best time to plan a breach response is before one happens. A solid playbook contains:
Roles and Responsibilities
Name your incident commander, DPO, legal lead, IT/security lead, communications lead, and executive sponsor. Include backups for each.
Decision Tree
A simple flowchart that helps the team decide: Is this a personal data breach? Is the risk high? Do we report to the ICO? Do we notify individuals?
Templates
Prepare draft templates for the ICO submission, individual notifications, internal staff communications, and press statements. Filling in blanks at 2am is much easier than writing from scratch.
Tabletop Exercises
Run a simulated breach at least annually. Test whether your team can detect, contain, document, and report within the deadlines.
FAQs
How quickly must I report a data breach to the ICO?
You must report within 72 hours of becoming aware of the breach. If you cannot gather all details in time, submit a partial notification on time and supplement it later. Reporting late requires you to explain the reasons for the delay.
What if I am not sure whether the incident is a notifiable breach?
Use the ICO's self-assessment tool on their website. It guides you through risk-based questions and gives a recommendation. If in doubt, the ICO encourages reporting — under-reporting is treated more harshly than over-reporting.
Do I need to report a breach if data was encrypted?
Generally no, provided the encryption is strong, the keys were not compromised, and you can confirm the data remains inaccessible. You still need to record the incident internally and review whether any availability impact exists.
What happens if I miss the 72-hour deadline?
You can still report — and you should, immediately. Late reporting may itself attract a fine of up to £8.7 million or 2% of global turnover, but failing to report at all is far worse. Always explain the cause of any delay in your submission.
Who is responsible when a processor causes the breach?
The data controller is responsible for reporting to the ICO. The processor must notify the controller without undue delay so the controller can meet its 72-hour deadline. Contracts should specify clear notification timelines and cooperation duties.
Final Thoughts
Reporting a data breach to the ICO is not a formality — it is a legal duty with strict timelines, but it is also an opportunity to demonstrate accountability. Regulators consistently reward organisations that report promptly, communicate clearly, and act decisively to protect affected individuals. Build the playbook now, train your team, and ensure your security stack — from encryption to link management — supports both prevention and rapid response.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Create a QR Code for Your Business: A Complete 2026 Guide
QR codes turn print, packaging, and storefronts into trackable digital experiences. This complete guide shows you how to create a QR code for your business, design it for maximum scans, track performance, and avoid the most common mistakes.
How to Improve Your Phone's Security Score: A Complete 2026 Guide
Your phone holds your banking apps, 2FA codes, and private messages — but most people leave it dangerously under-protected. This step-by-step guide shows you exactly how to improve your phone security score in 2026, from lock screens and permissions to encrypted DNS and account hardening.
How to Hide Photos with an Encrypted Photo Vault: Complete 2026 Guide
Your phone's gallery holds far more sensitive data than you realize. This step-by-step guide shows how to hide photos with an encrypted vault, which features to look for, and the common mistakes that can quietly undermine your privacy.
How to Lock Apps and Photos with Face ID: Complete 2026 Guide
Learn how to lock individual apps and hide private photos behind Face ID on iPhone in 2026. This step-by-step guide covers native iOS features, hidden albums, and advanced privacy tips for protecting sensitive content.