How to Report a Data Breach to the ICO: A Complete UK Guide

If your organisation has suffered a personal data breach, you may have a legal obligation to notify the Information Commissioner's Office (ICO) within 72 hours. Missing that deadline, or filing an incomplete report, can lead to significant fines under the UK GDPR and the Data Protection Act 2018. This guide explains exactly how to report a data breach to the ICO, what information you'll need, and how to handle the aftermath properly.

What Counts as a Personal Data Breach Under UK GDPR?

A personal data breach is any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It's broader than most people think — it isn't just hackers stealing customer databases.

Common examples include:

• A laptop, USB stick or mobile phone containing personal data being lost or stolen
• An employee emailing a customer list to the wrong recipient
• Ransomware encrypting files that contain personal information
• A misconfigured cloud storage bucket exposing records publicly
• Paper records being thrown in general waste instead of being shredded
• Unauthorised access by a staff member to records they shouldn't view

The key principle is that the breach must involve personal data — information relating to an identified or identifiable living person. A cyberattack that only damages anonymous system logs may not be reportable to the ICO, although it might still need to be reported elsewhere.

Do You Always Have to Report a Breach to the ICO?

No. Under Article 33 of the UK GDPR, you only need to notify the ICO when a breach is likely to result in a risk to the rights and freedoms of individuals. If the risk is unlikely — for example, the data was strongly encrypted and the key was not compromised — you can record it internally without notifying the regulator.

When You Must Report

• Risk to individuals is likely (financial loss, identity theft, reputational damage, discrimination, loss of confidentiality)
• Special category data (health, biometrics, sexual orientation, ethnicity) is involved
• Children's data is affected
• Large volumes of records are exposed

When You Must Also Notify Affected Individuals

If the breach is likely to result in a high risk to people's rights and freedoms, you must also inform the affected individuals directly, without undue delay (Article 34). This is a higher bar than notifying the ICO and is typically required for incidents involving financial data, login credentials, or identity documents.

When You Don't Need to Report

• The data was rendered unintelligible (e.g. strong encryption with uncompromised keys)
• You've taken measures that ensure the high risk is no longer likely to materialise
• It would involve disproportionate effort (in which case a public communication may suffice)

Even when reporting isn't required, you must document the breach internally. The ICO can ask to see your breach log during an investigation or audit.

The 72-Hour Deadline: When Does the Clock Start?

The 72-hour window begins the moment you become aware of the breach — not when it occurred, and not when you've completed your investigation. "Awareness" means having a reasonable degree of certainty that a security incident has led to personal data being compromised.

A few important nuances:

1. Weekends and bank holidays count. The 72 hours runs continuously.
2. You don't need all the facts. The ICO accepts phased reporting — submit what you know within 72 hours, then follow up.
3. If you miss the deadline, you can still report, but you must explain the delay in your submission.
4. Processors must notify controllers without undue delay, but the controller is responsible for notifying the ICO.

How to Report a Data Breach to the ICO: Step-by-Step

The ICO offers several reporting channels depending on the nature and severity of the breach. Here's the full process from discovery to submission.

Step 1: Contain and Assess the Breach

Before you report, stop the bleeding. Disconnect affected systems, revoke compromised credentials, recall misdirected emails where possible, and preserve evidence for the investigation. Then assess:

• What categories of personal data are involved?
• How many data subjects are affected?
• What are the likely consequences?
• What mitigating measures have you already taken?

Step 2: Choose the Right Reporting Channel

The ICO provides three primary routes:

Channel	When to Use	Availability
ICO online reporting form	Most non-urgent breaches	24/7 at ico.org.uk
ICO breach helpline (0303 123 1113)	Urgent or complex breaches needing guidance	Mon–Fri, 9am–5pm
Telecoms/ISP specific form	PECR breaches by communications providers	24/7 online

Step 3: Complete the Online Notification Form

The ICO's web form will ask for the following information. Have it ready before you start:

1. Your organisation's details — name, ICO registration number, sector, and contact details for the data protection officer (DPO) or responsible person
2. Nature of the breach — confidentiality, integrity, availability, or a combination
3. When the breach occurred and was discovered — exact dates and times if known
4. Description of personal data involved — categories, approximate number of records, and number of data subjects
5. Likely consequences — what harm could come to the individuals affected
6. Measures taken — both to contain the breach and to mitigate harm
7. Cross-border implications — whether individuals in the EU are affected (in which case lead supervisory authority rules apply)
8. Whether you've notified the affected individuals and if not, when you plan to

Step 4: Submit and Save the Reference Number

Once submitted, you'll receive a unique reference number. Save this in your breach log — you'll need it for any follow-up correspondence and for your internal records.

Step 5: Follow Up With Additional Information

If you reported in phases because you didn't have all the facts within 72 hours, the ICO expects you to provide updates as your investigation progresses. There's no rigid timeline for this, but "without undue delay" is the standard.

What Happens After You Report?

Filing a report is not an admission of wrongdoing, and most breach notifications don't lead to enforcement action. Here's what typically happens next.

Initial Triage

An ICO case officer reviews your submission and decides whether the matter requires further action. For low-risk, well-handled breaches, you may receive an acknowledgement and confirmation that no further action is needed.

Investigation

For more serious incidents, the ICO may open a formal investigation. They can request:

• Your internal breach log and incident response records
• Evidence of your technical and organisational measures
• Records of staff training and data protection policies
• Documentation of your data protection impact assessments (DPIAs)

Possible Outcomes

The ICO has a range of powers under the UK GDPR and Data Protection Act 2018:

• No further action — most common outcome
• Advisory letter — guidance on improvements
• Reprimand — formal criticism on the public record
• Enforcement notice — legally binding order to take specific action
• Monetary penalty — up to £17.5 million or 4% of global annual turnover, whichever is higher

Common Mistakes to Avoid

Many organisations make the same errors when reporting breaches. Avoiding these will keep you on the regulator's good side.

Reporting Too Late Without Explanation

If you genuinely missed the 72-hour window, explain why. The ICO understands that complex breaches take time to confirm. What they don't accept is unexplained delays or attempts to bury bad news.

Over-Reporting Minor Incidents

Reporting every minor mishap clogs the system and signals that you don't understand your risk assessment obligations. Use the ICO's self-assessment tool to determine whether a breach meets the reporting threshold.

Failing to Notify Individuals When Required

Notifying the ICO is not a substitute for notifying affected individuals when the risk is high. Both obligations are independent.

Inadequate Internal Documentation

Even unreported breaches must be logged with details of facts, effects, and remedial action. The ICO can request this log at any time.

Sending Sensitive Data in the Notification

Never include actual personal data (names, account numbers, etc.) in your ICO submission. Describe categories and volumes only. If you need to share evidence, the ICO will provide a secure channel.

Preventing Future Breaches: Practical Steps

Reporting a breach is only the start. The ICO will want to see what you've learned and how you've strengthened your controls.

Technical Measures

• Encrypt personal data at rest and in transit
• Enforce multi-factor authentication on all admin accounts
• Patch systems promptly and monitor for vulnerabilities
• Use encrypted DNS and secure network configurations
• Limit the use of third-party tracking links — when sharing URLs publicly, use a privacy-respecting shortener like Lunyb that doesn't harvest visitor data

Organisational Measures

• Maintain an up-to-date incident response plan
• Run breach simulation exercises at least annually
• Train all staff on phishing and data handling
• Review supplier contracts to ensure processor obligations are clear
• Conduct DPIAs for high-risk processing activities

Reviewing Your Tooling

Many breaches stem from over-reliance on third-party services that collect more data than necessary. Audit your stack regularly — from analytics platforms to link shorteners and marketing tools — and remove anything that creates unnecessary exposure. For comparisons of privacy-focused tooling in this space, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb.

Special Considerations for Different Sectors

Healthcare

NHS bodies and healthcare providers must also report breaches through the Data Security and Protection Toolkit (DSPT) incident reporting tool, which feeds notifications to both NHS England and the ICO.

Financial Services

FCA-regulated firms may have additional obligations under SUP 15.3 to notify the FCA of material operational incidents. Breaches involving payment data may also trigger PCI DSS reporting to acquiring banks.

Telecoms and ISPs

Communications providers must also comply with the Privacy and Electronic Communications Regulations (PECR), which require notification of personal data breaches within 24 hours of detection — significantly tighter than UK GDPR.

Education

Schools and universities should consult the DfE's specific guidance on data breaches involving pupil records, and may need to notify safeguarding leads in addition to the ICO.

FAQ

What happens if I miss the 72-hour deadline?

You should still report the breach, but include a clear explanation of why the notification was delayed. The ICO considers late reporting in context — a 24-hour delay due to a complex investigation is treated very differently from a deliberate attempt to avoid scrutiny. Late reporting alone rarely triggers a fine, but combined with poor practice it can be an aggravating factor.

Do I need to report a breach if data was encrypted?

If personal data was protected by strong, current encryption and the decryption key was not compromised, the breach is unlikely to result in a risk to individuals, so notification to the ICO is generally not required. You must still log the incident internally. However, weak or outdated encryption (e.g. MD5, old SSL versions) doesn't qualify for this exemption.

Can the ICO fine me for the breach itself, or only for failing to report?

Both. The ICO can fine you for the underlying failure of security (Article 32 breaches) and separately for failures in your notification obligations (Articles 33 and 34). In practice, fines usually focus on systemic security failings, with reporting failures contributing to the overall assessment.

What's the difference between notifying the ICO and notifying individuals?

You must notify the ICO when a breach is likely to result in a risk to individuals' rights and freedoms. You must additionally notify affected individuals when the breach is likely to result in a high risk. The high-risk threshold typically applies when data could lead to identity theft, financial loss, or serious distress, and individual notification allows people to take protective action.

Should small businesses report data breaches differently?

No — the obligations under UK GDPR apply equally to organisations of all sizes. However, the ICO recognises that smaller organisations have fewer resources, and its enforcement approach is proportionate. Small businesses should focus on having a simple, clear incident response plan and using the ICO's free self-assessment tools. The ICO also runs a dedicated SME helpline for guidance.

Final Thoughts

Reporting a data breach to the ICO isn't something to fear — it's an opportunity to demonstrate accountability and learn from the incident. The organisations that come through breach investigations well are those that act quickly, document thoroughly, communicate honestly, and use the experience to strengthen their controls. Prepare your incident response plan now, before you need it, and the 72-hour clock will feel much less daunting.