How to Report a Data Breach to the ICO: A Complete UK Guide

If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO). Miss that deadline, fail to provide adequate detail, or under-report a serious incident, and you could face significant fines and reputational damage. This guide explains exactly how to report a data breach to the ICO, what counts as a notifiable breach, and the steps to take from the moment you discover an incident.

What Is a Personal Data Breach Under UK GDPR?

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to hackers stealing information — it includes any incident where the confidentiality, integrity, or availability of personal data is compromised.

Common examples of personal data breaches include:

• A laptop, USB stick, or paper file containing customer data being lost or stolen
• An email sent to the wrong recipient containing personal information
• A ransomware attack that encrypts files containing employee or customer records
• Unauthorised access to a database by an employee or third party
• A misconfigured cloud storage bucket exposing personal data to the public internet
• Accidental deletion of personal data without an available backup

Crucially, a breach does not always involve malicious intent. An employee accidentally emailing a spreadsheet of contacts to the wrong client is just as much a breach as a sophisticated cyberattack.

Do You Have to Report Every Breach to the ICO?

No. You only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. However, you must document every breach internally, regardless of whether you report it externally.

When Reporting Is Required

You must report the breach to the ICO if there is a risk of:

• Discrimination, identity theft, or fraud
• Financial loss
• Damage to reputation
• Loss of confidentiality of data protected by professional secrecy
• Any other significant economic or social disadvantage

When Reporting Is Not Required

You typically do not need to notify the ICO if the breach is unlikely to result in any risk — for example, if the affected data was strongly encrypted, the decryption key remains secure, and the data was never accessed in readable form. You still need to log the incident internally with a justification for not reporting.

When You Must Also Notify Affected Individuals

If the breach is likely to result in a high risk to individuals' rights and freedoms, you must inform those individuals directly, in clear and plain language, without undue delay.

The 72-Hour Rule Explained

Article 33 of UK GDPR requires controllers to notify the ICO of a notifiable breach within 72 hours of becoming "aware" of it. The clock starts when you have a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised — not when you first suspect a problem.

The 72 hours includes weekends and bank holidays. If you cannot provide all the required information within 72 hours, you can submit a phased report — the ICO accepts initial notifications followed by updates as your investigation progresses.

If you report after 72 hours, you must include reasons for the delay. The ICO does not automatically penalise late reports, but unjustified delays can be treated as an aggravating factor.

How to Report a Data Breach to the ICO: Step-by-Step

The ICO offers several reporting channels depending on the nature and severity of the breach. Follow these steps to ensure a compliant and effective notification.

Step 1: Contain the Breach

Before you report, take immediate action to limit further damage. This might include:

1. Isolating affected systems from the network
2. Revoking compromised credentials and resetting passwords
3. Recalling mis-sent emails where possible
4. Recovering lost devices or remotely wiping them
5. Engaging your incident response team or external forensic specialists

Step 2: Assess the Risk

Quickly evaluate the nature of the data involved, the number of individuals affected, the likelihood of harm, and the potential severity of consequences. This assessment determines whether the breach is notifiable.

Step 3: Gather the Required Information

Before contacting the ICO, prepare the following:

• The nature of the breach and categories of personal data affected
• Approximate number of individuals and records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• Contact details for your Data Protection Officer or designated contact
• The date and time the breach occurred and was discovered

Step 4: Choose Your Reporting Channel

The ICO provides different routes depending on the nature of the incident:

Reporting Channel	When to Use	Availability
ICO online breach reporting form	Most personal data breaches under UK GDPR	24/7 via ico.org.uk
ICO breach helpline (0303 123 1113)	Urgent breaches needing guidance	Mon–Fri, 9am–5pm
Cyber incident reporting form	Breaches caused by a cyberattack	24/7 online
NIS reporting form	Relevant digital service providers under NIS Regulations	24/7 online
PECR breach form	Telecoms and internet service providers	24/7 online

Step 5: Submit the Report

For most organisations, the quickest method is the online personal data breach report form on ico.org.uk. You will need to create an account or log in, then complete sections covering the breach details, data subjects affected, containment measures, and contact information. The form auto-saves so you can return to it if needed.

Step 6: Notify Affected Individuals (If Required)

If the breach poses a high risk, contact affected individuals directly. The notification must include the nature of the breach, contact details for your DPO, likely consequences, and steps individuals can take to protect themselves (such as changing passwords or watching for fraudulent activity).

Step 7: Document Everything

Maintain a detailed internal breach register including the facts of every breach, its effects, and remedial action taken — even those you did not report. The ICO can request this documentation during investigations or audits.

What Happens After You Report?

Once submitted, the ICO will acknowledge receipt and assign a case reference. A caseworker may contact you for additional information or clarification. Depending on the breach's severity, the ICO may:

• Take no further action beyond logging the report
• Provide guidance and request follow-up information
• Open a formal investigation
• Issue an enforcement notice requiring specific corrective actions
• Impose a monetary penalty (fines can reach £17.5 million or 4% of global annual turnover, whichever is higher)

Cooperation, transparency, and demonstrating that you have implemented appropriate technical and organisational measures will significantly influence the ICO's response.

Common Mistakes to Avoid

Even well-prepared organisations stumble during breach reporting. Watch out for these pitfalls:

• Delaying the report to gather more information. The ICO prefers an early, partial report over a late, complete one.
• Underestimating the breach. Categorising a notifiable breach as "low risk" without proper analysis can backfire.
• Forgetting to notify individuals. High-risk breaches require direct communication, not just ICO notification.
• Poor internal documentation. The ICO can ask to see your breach log at any time.
• Failing to learn from the incident. A breach should trigger a review of policies, training, and technical controls.

How to Reduce Breach Risk in the First Place

Prevention is far cheaper than remediation. Strong data protection practices reduce both the likelihood and severity of breaches. Consider:

• Encryption of personal data at rest and in transit
• Multi-factor authentication on all accounts with access to personal data
• Regular staff training on phishing, secure data handling, and breach recognition
• Access controls based on the principle of least privilege
• Secure link sharing — when distributing links to documents or campaigns, use a trusted shortener like Lunyb with HTTPS, click analytics, and link expiry features rather than exposing raw URLs that could leak internal endpoints. You can learn more in our honest review of Lunyb.
• Tested incident response plans with clear roles, escalation paths, and ICO reporting templates
• Regular backups stored offline or in immutable storage to mitigate ransomware impact

For marketing and operations teams that share campaign links externally, choosing the right tooling matters. Our 2026 buyer's guide to URL shorteners compares the leading options on security, analytics, and compliance features.

Special Cases: Processors, Joint Controllers, and Third Parties

If you are a processor (handling data on behalf of a controller), you must notify the controller without undue delay after becoming aware of a breach. The controller is then responsible for reporting to the ICO.

For joint controllers, your written arrangement should specify which party handles ICO notification. In practice, the controller closest to the affected individuals usually leads the response.

If a breach involves a third-party supplier, you must still report it within 72 hours of your own awareness. You cannot use the supplier's delay as an excuse, although you can include their conduct as context in the report.

FAQ

What is the deadline to report a data breach to the ICO?

You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. This includes weekends and bank holidays. If you cannot provide complete information in time, submit an initial report and follow up with details as your investigation progresses.

What happens if I report a breach late?

Late reports must include reasons for the delay. The ICO does not automatically issue fines for late reporting, but unjustified delays are considered an aggravating factor when determining enforcement action. Genuine, documented reasons (such as needing time to confirm whether personal data was actually affected) are generally accepted.

Do I need to tell customers about every breach?

No. You only need to notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms. For lower-risk breaches, ICO notification (if required) is sufficient. However, you should still document the breach and your decision-making process internally.

Can I be fined for a data breach itself, or only for failing to report it?

Both. The ICO can issue fines for the underlying failure to implement appropriate security measures that led to the breach, and separately for failing to report it within 72 hours or failing to notify affected individuals. Maximum fines under UK GDPR are £17.5 million or 4% of global annual turnover, whichever is higher.

Should I report a breach if no data was actually accessed?

If personal data was lost or potentially exposed but you can demonstrate it was unreadable (for example, strongly encrypted with keys still secure) and there is no realistic risk of harm, you may not need to report to the ICO. However, you must still log the incident internally with a clear justification for the decision not to report.