How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR requires you to act fast. In most cases, you have just 72 hours to report a notifiable breach to the Information Commissioner's Office (ICO) — and getting it wrong can mean fines of up to £17.5 million or 4% of global annual turnover. This guide walks you through exactly how to report a data breach to the ICO, what information you'll need, and how to handle the days that follow.
What Counts as a Personal Data Breach Under UK GDPR?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It doesn't have to involve a cyber attack — a misplaced laptop, an email sent to the wrong recipient, or a lost USB stick can all qualify.
The ICO recognises three broad categories of breach:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data (e.g. a hacker steals your customer database).
- Integrity breach — unauthorised or accidental alteration of personal data (e.g. a malicious insider edits patient records).
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data (e.g. ransomware encrypts files and you have no backup).
Importantly, not every breach needs to be reported. You only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals — things like identity theft, financial loss, reputational damage, discrimination, or loss of confidentiality of data protected by professional secrecy.
The 72-Hour Reporting Rule Explained
Under Article 33 of the UK GDPR, controllers must notify the ICO of a notifiable breach without undue delay and, where feasible, no later than 72 hours after becoming aware of it. The clock starts ticking the moment you have a reasonable degree of certainty that a security incident has led to personal data being compromised — not when the breach actually happened.
If you miss the 72-hour deadline, you can still report — but you must include reasons for the delay. The ICO takes a much harsher view of organisations that knew about a breach and sat on it than those that genuinely needed time to investigate.
What if you're a processor, not a controller?
If you process data on behalf of another organisation (the controller), your obligation is different: you must notify the controller without undue delay after becoming aware of a breach. The controller then decides whether to escalate it to the ICO.
Step-by-Step: How to Report a Data Breach to the ICO
Here is the practical process for reporting a notifiable breach.
- Contain the breach. Before anything else, stop the bleeding. Disable compromised accounts, revoke access tokens, isolate infected systems, or recall misdirected emails. Containment minimises the harm and shows the ICO you acted responsibly.
- Assess the risk. Determine what data was affected, how many people are involved, and what the realistic impact could be. Use a documented risk-assessment framework so your reasoning is defensible later.
- Decide if it's notifiable. If the breach is unlikely to result in a risk to individuals (for example, the data was strongly encrypted and the key wasn't compromised), you don't need to notify the ICO — but you must still record it internally.
- Gather your information. Before opening the report form, compile the facts: when the breach occurred, when you discovered it, what data was affected, categories and approximate numbers of data subjects, and what you've done to mitigate harm.
- Submit the report. For most personal data breaches, use the ICO's online Personal Data Breach Report Form at ico.org.uk. You can also call the ICO's breach helpline on 0303 123 1113 (option 3), which is useful outside office hours or for urgent matters.
- Notify affected individuals if required. If the breach is likely to result in a high risk to individuals, you must also tell them directly, in clear and plain language, without undue delay.
- Document everything. Whether or not you reported, keep a written record of the breach, its effects, and the remedial action taken. The ICO can ask to see this register at any time.
Information You Must Include in the Report
Article 33(3) of the UK GDPR sets out the minimum information your notification must contain. The ICO's online form maps closely to these requirements.
| Section | What to Provide |
|---|---|
| Nature of the breach | A description of what happened, including categories and approximate numbers of data subjects and records affected. |
| Contact point | Name and contact details of your Data Protection Officer (DPO) or other contact person. |
| Likely consequences | The realistic impact on individuals (e.g. risk of fraud, distress, identity theft). |
| Measures taken | What you have done — or propose to do — to address the breach and mitigate its effects. |
| Timeline | When the breach occurred, when you became aware, and reasons for any delay in reporting. |
If you don't have all the information within 72 hours, that's acceptable. Article 33(4) allows you to provide information in phases. Submit what you know, flag that the investigation is ongoing, and update the ICO as new facts emerge.
When You Must Also Notify the Individuals Affected
Notifying the ICO is only half the picture. If a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those people directly under Article 34. "High risk" is a higher bar than "risk" — think serious financial loss, identity fraud, exposure of special category data, or psychological harm.
Your notice to individuals must:
- Be written in clear and plain language.
- Describe the nature of the breach.
- Provide the DPO or contact point's details.
- Describe the likely consequences.
- Describe the measures taken or proposed.
You don't need to notify individuals if the data was rendered unintelligible (for example, encrypted with a strong, uncompromised key), if you've taken subsequent steps that make the high risk unlikely to materialise, or if notifying them would involve disproportionate effort — in which case a public communication is acceptable.
Common Examples of Reportable Breaches
To help you judge borderline cases, here are typical scenarios the ICO has confirmed as notifiable:
- Ransomware attack where personal data was accessed or exfiltrated.
- An employee emailing a spreadsheet of customer details to the wrong external address.
- A lost or stolen laptop containing unencrypted client records.
- A misconfigured cloud bucket exposing files to the public internet.
- Insider access abuse — a staff member viewing records they had no business reason to access.
- A phishing attack that compromised an email account containing personal correspondence.
Conversely, examples typically not reportable include a fully encrypted device being lost where the key remains secure, or a brief outage with no data loss or exposure.
What Happens After You Report
Once your report is submitted, the ICO will typically acknowledge it within a few working days and assign a case officer. They may:
- Ask for additional information or evidence.
- Request a copy of your internal breach log and risk assessment.
- Provide guidance on remediation or notification to data subjects.
- Take no further action if your handling was satisfactory.
- Open a formal investigation in serious cases.
The ICO generally prefers cooperation over punishment. Organisations that report promptly, demonstrate good-faith remediation, and have evidence of proper governance are far less likely to be fined than those who hide breaches or appear negligent.
Penalties for Failing to Report
Failing to notify the ICO when required is itself a breach of UK GDPR. Penalties fall into two tiers:
| Tier | Maximum Fine | Typical Triggers |
|---|---|---|
| Lower tier | £8.7 million or 2% of global turnover | Failure to notify, poor record-keeping, weak processor controls |
| Upper tier | £17.5 million or 4% of global turnover | Breach of core data protection principles, unlawful processing |
Beyond fines, the reputational damage of a high-profile, mishandled breach often dwarfs the regulatory penalty. Customer trust, once lost, is expensive to rebuild.
Reducing the Risk of Breaches in the First Place
Reporting is reactive — prevention is far cheaper. A few baseline practices substantially reduce breach risk:
- Encrypt data at rest and in transit. Encryption can mean a lost device isn't a notifiable breach at all.
- Use multi-factor authentication on every account that touches personal data.
- Limit data exposure in shared links. When sharing files, dashboards, or documents externally, use access-controlled links with expiry dates rather than open URLs. Privacy-conscious link tools like Lunyb let you create short, trackable links with built-in controls — useful when you need an audit trail of who clicked what.
- Run regular phishing simulations for staff. Most breaches start with a human click.
- Maintain an incident response plan with named roles, contact trees, and a rehearsed 72-hour playbook.
- Patch promptly. Unpatched software is involved in a significant share of reportable incidents.
For broader recommendations on safe link sharing and tracking tools, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.
Special Cases: PECR and Telecoms Breaches
If you're a communications service provider (an ISP, mobile network, or public electronic comms service), you have separate obligations under the Privacy and Electronic Communications Regulations (PECR). PECR breaches must be reported to the ICO within 24 hours of becoming aware, using a different form. These rules sit alongside, not in place of, UK GDPR obligations.
Maintaining Your Internal Breach Register
Whether or not you report to the ICO, every personal data breach must be documented internally. Your register should record:
- The facts of the breach (what, when, how discovered).
- Its effects and the categories/numbers of people affected.
- The remedial action taken.
- The decision on whether to notify the ICO and individuals — and the reasoning.
This register is one of the first things an ICO investigator will ask to see. A thorough log demonstrates accountability under Article 5(2) and can significantly reduce regulatory consequences.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
You have 72 hours from the moment you become aware of a notifiable breach. "Awareness" means having reasonable certainty that a security incident has compromised personal data — not the moment the incident actually happened. If you report later, you must explain why.
Do I have to report every data breach to the ICO?
No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. Breaches with minimal impact — for example, where data was strongly encrypted and the key is safe — don't need to be reported, but you must still record them internally.
What happens if I report late or not at all?
Late reports are accepted but you must justify the delay. Failing to report a notifiable breach can attract fines of up to £8.7 million or 2% of global turnover under the lower tier of UK GDPR penalties. The ICO is generally more lenient with organisations that report late and explain honestly than with those that try to cover up breaches.
Can I report a data breach by phone?
Yes. The ICO operates a personal data breach helpline on 0303 123 1113 (select option 3). This is useful out of hours, for urgent breaches, or if you need guidance before completing the online form. Most reports, however, are submitted via the online form on ico.org.uk.
Do I need to tell affected customers about the breach?
You must notify affected individuals directly only if the breach is likely to result in a high risk to their rights and freedoms — for example, exposure that could lead to fraud, identity theft, or serious distress. The notification must be in clear, plain language and describe the breach, its consequences, and the steps you're taking.
Final Thoughts
A data breach is rarely a question of "if" — it's a question of "when" and "how prepared you are." The organisations that come out of breaches with their reputations intact are those that have practised the 72-hour process before they ever needed it: clear roles, a tested response plan, well-maintained records, and a culture of transparency with the ICO. Report quickly, report honestly, document everything, and treat the experience as the most expensive lesson your security programme will ever buy.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Encrypt Your Internet Traffic: A Complete 2026 Guide
Learn how to encrypt your internet traffic from end to end using HTTPS, encrypted DNS, secure Wi-Fi, E2EE messaging, Tor, and file encryption. A practical, layered 2026 privacy guide with a fast-start checklist.
How to Create a QR Code for Your Business: Complete 2026 Guide
QR codes are one of the highest-ROI tools for connecting offline customers to digital experiences. This step-by-step guide shows you how to create a QR code for your business, design it for maximum scans, track performance, and avoid the most common mistakes.
How to Remove Your Personal Information from Data Brokers (2026 Guide)
Data brokers collect and sell your personal information to advertisers, recruiters, and sometimes scammers. This step-by-step guide shows you exactly how to remove your data from the biggest brokers, exercise your legal rights, and keep your information off these sites long-term.
How to Improve Your Phone's Security Score: The Complete 2026 Guide
Your phone holds your entire digital life, but most devices are configured with default settings that leave gaps. This guide shows you exactly how to improve your phone security score with proven steps for iOS and Android, from authentication upgrades to permission audits and encrypted DNS.