How to Report a Data Breach to the ICO: A Step-by-Step Guide
If your organisation has suffered a personal data breach, the clock is ticking. Under the UK GDPR and the Data Protection Act 2018, you may have just 72 hours to notify the Information Commissioner's Office (ICO). Getting the report right — or knowing when not to report at all — can mean the difference between a routine investigation and a regulatory fine running into millions of pounds.
This guide walks you through exactly how to report a data breach to the ICO, what counts as a notifiable breach, what information you need, and the practical steps to take in the hours and days after discovery.
What Counts as a Personal Data Breach Under UK GDPR?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is broader than most people assume — it does not have to involve a malicious attacker.
Examples of personal data breaches include:
- A laptop or USB stick containing customer records being lost or stolen
- An email with personal data sent to the wrong recipient
- Ransomware encrypting files containing employee or customer information
- Unauthorised access by an employee viewing records they shouldn't
- A misconfigured cloud bucket exposing data to the public internet
- A paper file being thrown in a public bin instead of shredded
The ICO classifies breaches into three categories: confidentiality breaches (unauthorised disclosure or access), integrity breaches (unauthorised alteration), and availability breaches (loss of access or destruction). A single incident can fall into more than one category — ransomware, for example, is typically both an availability and confidentiality breach.
Do You Actually Need to Report It?
Not every breach requires notification. The legal test under Article 33 of the UK GDPR is whether the breach is "likely to result in a risk to the rights and freedoms of natural persons". If there is no such risk, you do not need to tell the ICO — but you must still document the incident internally.
When You Must Report to the ICO
You must notify the ICO within 72 hours if the breach is likely to result in any risk to individuals. Examples include:
- Loss of financial data, login credentials, or identity documents
- Disclosure of health, racial, religious, or other special category data
- Any breach involving children's data
- Breaches affecting a significant number of people, even with low-sensitivity data
When You Must Also Notify Affected Individuals
If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also inform the data subjects themselves "without undue delay". This goes beyond the ICO notification and applies to incidents likely to cause identity theft, financial loss, reputational damage, or significant distress.
When You Don't Need to Report
You can skip the ICO report if the breach is genuinely low risk. For example, if a properly encrypted laptop is lost and the encryption key is intact, the practical risk to data subjects is minimal. Even then, you must record the incident in your internal breach log — the ICO can ask to see it during an audit.
The 72-Hour Rule: When Does the Clock Start?
The 72-hour window begins from the moment you become aware of the breach — not when it happened, and not when you have finished investigating. "Awareness" means having a reasonable degree of certainty that a security incident has led to personal data being compromised.
For example, if your IT team receives an alert at 3pm on Friday about suspicious activity and confirms by 9am Monday that data has been exfiltrated, the 72 hours starts on Monday morning. However, regulators will scrutinise whether you investigated quickly enough — sitting on an alert to delay the clock is not acceptable.
If you cannot gather all the information within 72 hours, report what you have and submit further details later in phases. The ICO explicitly allows phased reporting.
How to Report a Data Breach to the ICO: Step-by-Step
Here is the practical process to follow once you have confirmed a notifiable breach.
Step 1: Contain and Assess
- Stop the breach from continuing — disable compromised accounts, pull affected systems offline, recall misdirected emails.
- Preserve evidence: logs, emails, system snapshots. Do not wipe affected machines.
- Assemble your response team: typically the DPO, IT/security lead, legal counsel, and a senior decision-maker.
- Run an initial risk assessment: what data, how many people, what's the likely harm?
Step 2: Decide Whether to Report
Document your reasoning either way. If you decide not to notify the ICO, write down why — including the volume of records, sensitivity, encryption status, and likelihood of harm. This decision log is your defence if the regulator later questions your judgement.
Step 3: Submit the Report
There are three ways to report:
- Online: Use the ICO's secure breach reporting form at ico.org.uk/make-a-complaint/data-protection-complaints/personal-data-breach. This is the fastest route and creates an audit trail.
- Phone: Call the ICO helpline on 0303 123 1113 (Monday to Friday, 9am to 5pm). Useful for urgent cases or to clarify questions before submitting in writing.
- Out of hours: The ICO does not have a 24/7 hotline, but you should still submit the online form at any time — the timestamp counts.
Step 4: Notify Affected Individuals (If Required)
If the breach is high-risk, contact data subjects directly. Use clear, plain English. Tell them what happened, what data was affected, what you're doing about it, what they should do (e.g. change passwords, monitor accounts), and how to contact your DPO.
Step 5: Follow Up and Close the Loop
The ICO will issue a case reference and may ask follow-up questions. Respond promptly. Keep records of all correspondence. Once the investigation closes, conduct a post-incident review and update your policies, training, and technical controls.
What Information Must the Report Include?
Article 33(3) of the UK GDPR sets out the minimum content for a breach notification. The ICO's form walks you through each section, but it helps to prepare the following before you start:
| Section | What to Include |
|---|---|
| Nature of the breach | What happened, when it happened, when you became aware, type of incident (cyberattack, human error, lost device, etc.) |
| Categories of data | Names, contact details, financial data, special category data, children's data, etc. |
| Approximate numbers | Number of data subjects affected and number of records involved |
| Likely consequences | Identity theft, financial loss, distress, reputational damage, discrimination |
| Measures taken | Steps to contain the breach and reduce harm to individuals |
| DPO contact details | Name, email, and phone of your Data Protection Officer or breach contact |
If you don't have all the answers yet, say so. Mark sections as "to follow" and commit to a timeline for providing the remaining detail.
What Happens After You Report?
The ICO triages every breach report. Most receive a written acknowledgement and no further action beyond confirming you've handled it appropriately. A smaller proportion lead to deeper investigation, and a smaller fraction still result in enforcement action.
Possible outcomes include:
- No further action — the most common result for low-risk, well-handled breaches.
- Information notice — a formal request for more documentation.
- Assessment notice — an audit of your data protection practices.
- Enforcement notice — an order to take specific corrective steps.
- Monetary penalty — fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
Cooperation matters enormously. The ICO has repeatedly said that organisations that report promptly, take responsibility, and demonstrate strong remediation are treated far more leniently than those that delay, minimise, or obstruct.
Common Mistakes to Avoid
Even experienced data protection teams slip up under pressure. Watch out for these:
- Underestimating the breach. Don't assume "only a few emails" is low risk — check what was in them first.
- Missing the 72-hour deadline. If you'll be late, report anyway and explain the delay. Late is better than not reporting.
- Notifying individuals before you have facts. Conflicting public statements damage trust and can mislead.
- Failing to log non-reportable breaches. The ICO can demand to see your internal breach register.
- Forgetting joint controllers and processors. If a supplier caused the breach, you (the controller) are still responsible for reporting.
Preventing the Next Breach
Notification is the legal floor — prevention is where you actually protect your business and your customers. A robust programme typically includes encrypted devices and backups, strong access controls with multi-factor authentication, regular staff training on phishing and data handling, a tested incident response plan, and careful management of third-party links and shared resources.
On the link-handling front, many incidents start with a poorly managed URL — a shared document link forwarded too widely, a tracking link leaking customer identifiers, or a malicious shortened link in a phishing email. Using a trustworthy link management platform like Lunyb lets you create branded short links with click analytics, password protection, and expiry dates, so you can revoke access the moment something looks wrong. If you're comparing options, see our 2026 buyer's guide to URL shorteners and our honest review of Lunyb for a closer look at security features.
FAQ
What is the deadline to report a data breach to the ICO?
You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. If you miss the deadline, you should still report and provide a reasoned explanation for the delay.
Do I have to report every data breach?
No. You only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. Low-risk incidents must still be recorded in your internal breach log, even if not reported externally.
What happens if I don't report a data breach?
Failing to report a notifiable breach can result in a fine of up to £8.7 million or 2% of global annual turnover. If the breach itself involved poor security, you could face an additional fine of up to £17.5 million or 4% of turnover under the higher tier.
Can I report a data breach anonymously?
No. As the data controller, you must identify your organisation and provide a contact point (usually the DPO). Members of the public can, however, raise concerns about an organisation's handling of their data anonymously through the ICO's complaints process.
What if the breach was caused by one of my suppliers?
As the data controller, you remain responsible for notifying the ICO, even if a processor or supplier caused the incident. Your contracts should require processors to notify you without undue delay so you can meet the 72-hour deadline. The processor may also have separate obligations to its own regulators.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide
Every malicious link is one click away from stealing your data or installing malware. This guide shows you exactly how to verify any URL before clicking, using free tools, manual checks, and proven safety techniques.
How to Remove Your Personal Information from Data Brokers: Complete 2026 Guide
Data brokers sell your name, address, phone, and family details to anyone who pays. This step-by-step guide shows you how to remove personal information from data brokers, which sites to prioritize, and how to stop your data from reappearing.
How to Shorten a URL: The Complete 2026 Guide
Learn exactly how to shorten a URL in seconds with this complete 2026 guide. We cover free tools, branded short links, click tracking, bulk shortening, and best practices to keep your links safe and effective.
How to Create a QR Code for Your Business: Complete 2026 Guide
Learn exactly how to create a QR code for your business in 2026 — from choosing static vs. dynamic codes to design, placement, tracking, and avoiding the most common mistakes. A practical step-by-step guide for owners and marketers.