How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, you may have a legal obligation to report it to the Information Commissioner's Office (ICO) within 72 hours. Missing this deadline — or failing to assess whether reporting is required at all — can result in significant regulatory fines and lasting reputational damage. This guide walks you through exactly how to report a data breach to the ICO under UK GDPR and the Data Protection Act 2018.
What Counts as a Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is not limited to cyber attacks — it covers any compromise of confidentiality, integrity, or availability of personal information.
Common examples include:
- Ransomware encrypting customer records
- A lost or stolen laptop containing unencrypted employee files
- An email sent to the wrong recipient containing personal details
- Misconfigured cloud storage exposing data to the public
- A phishing attack giving criminals access to a CRM system
- Paper records being thrown out without proper shredding
Importantly, the breach does not need to be malicious. A human error or system failure that exposes personal data can still trigger reporting obligations.
The Three Types of Breach to Recognise
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
When Must You Report a Data Breach to the ICO?
Under Article 33 of the UK GDPR, you must notify the ICO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The clock starts the moment you have a reasonable degree of certainty that a security incident has occurred and that personal data was affected.
Use this quick decision framework:
| Risk Level | Report to ICO? | Notify Individuals? |
|---|---|---|
| No risk to rights and freedoms | No (but document it) | No |
| Risk to rights and freedoms | Yes — within 72 hours | No, unless high risk |
| High risk to rights and freedoms | Yes — within 72 hours | Yes — without undue delay |
What "Risk to Rights and Freedoms" Means
The ICO considers risks such as identity theft, financial loss, discrimination, reputational damage, loss of confidentiality, and any other significant economic or social disadvantage. Special category data (health, biometrics, ethnicity) and children's data almost always elevate the risk threshold.
Step-by-Step: How to Report a Data Breach to the ICO
Here is the exact process to follow when you discover a reportable breach.
Step 1: Contain the Breach
Before reporting, take immediate action to limit damage. Disconnect compromised systems, reset credentials, revoke access tokens, and isolate affected accounts. Preserve logs and evidence — do not wipe systems that may be needed for forensic analysis.
Step 2: Assess and Document
Gather facts quickly. You will need to record:
- What happened and when
- How you became aware of the breach
- Categories and approximate number of individuals affected
- Categories and approximate number of records affected
- Likely consequences for individuals
- Measures taken or proposed to address the breach
You do not need every detail before reporting — partial information is acceptable, with updates submitted in phases.
Step 3: Notify the ICO Within 72 Hours
You have three main reporting channels:
- Online form — the ICO's web reporting tool at ico.org.uk is the preferred route for most breaches.
- Phone — call the ICO breach helpline on 0303 123 1113 (option 3, then option 4) during office hours, especially for urgent or complex incidents.
- Telecoms/ISP breaches — use the dedicated PECR breach form if you are a communications service provider.
Step 4: Notify Affected Individuals (If High Risk)
If the breach is likely to result in a high risk to individuals, you must inform them without undue delay using clear, plain language. The notification should describe the nature of the breach, the likely consequences, the measures taken, and a contact point for further information.
Step 5: Document Everything Internally
Under Article 33(5), you must keep a record of every breach — including those you decided not to report — along with the reasoning. The ICO can request this register at any time.
What Information the ICO Requires
When completing the ICO breach report form, be prepared to provide the following:
| Section | Details Required |
|---|---|
| Organisation details | Name, ICO registration number, sector, contact information |
| DPO details | Name and contact details of your Data Protection Officer (if applicable) |
| Breach details | Date discovered, date occurred, type of breach, cause |
| Data affected | Categories of personal data, special category data, volume |
| Individuals affected | Number and categories (customers, employees, children, etc.) |
| Consequences | Potential harm, likelihood and severity of risk |
| Measures taken | Containment, mitigation, remediation steps |
| Communication | Whether and how individuals have been informed |
If You Don't Have All the Information
Submit what you know within 72 hours and explain that further details will follow. The ICO accepts phased reporting and would rather receive a timely partial notification than a delayed complete one. If you report later than 72 hours, you must justify the delay.
What Happens After You Report?
After submission, the ICO will typically acknowledge receipt and assign a case reference. They may:
- Request further information or evidence
- Take no further action if your response is adequate
- Issue formal guidance or recommendations
- Launch a regulatory investigation for serious or systemic failings
- Impose fines, enforcement notices, or compulsory audits
Most reported breaches are resolved without enforcement action, particularly where the organisation responded promptly, cooperated transparently, and demonstrated robust mitigation.
Penalties for Failing to Report
Failing to notify the ICO when required can result in administrative fines of up to £8.7 million or 2% of global annual turnover, whichever is higher. Failure to comply with broader UK GDPR principles can attract the higher tier of £17.5 million or 4% of turnover.
However, fines are usually a last resort. The ICO weighs factors such as:
- The nature, gravity, and duration of the infringement
- Whether it was intentional or negligent
- Action taken to mitigate damage
- Previous infringements
- Level of cooperation with the ICO
- Categories of personal data affected
Common Mistakes to Avoid
Even well-prepared organisations stumble during breach response. Avoid these pitfalls:
- Waiting for full clarity before reporting — the 72-hour clock starts at awareness, not certainty about every detail.
- Assuming small breaches don't count — a single misdirected email containing sensitive data can be reportable.
- Failing to log non-reportable breaches — you must still document them internally.
- Telling affected individuals to "sit tight" — if there's high risk, communicate promptly and honestly.
- Not training staff — most breaches stem from human error, and staff need to know how to escalate suspected incidents.
- Overlooking processor breaches — if a vendor handling your data is breached, your obligations are still triggered.
Reducing the Risk of a Reportable Breach
Prevention is always cheaper than notification. Strong technical and organisational measures protect both your data subjects and your bottom line.
Technical Measures
- Encrypt data at rest and in transit
- Enforce multi-factor authentication on all admin accounts
- Patch systems promptly and run regular vulnerability scans
- Use endpoint protection and email filtering
- Apply least-privilege access controls
- Maintain tested, offline backups
Organisational Measures
- Maintain an up-to-date breach response plan and playbook
- Train staff on phishing, secure handling, and incident reporting
- Conduct Data Protection Impact Assessments for high-risk processing
- Review supplier contracts and processor agreements regularly
- Audit and minimise the personal data you hold
For organisations that share content through marketing campaigns, even the links you publish can carry security implications. Using a trustworthy link management platform like Lunyb helps you control where users land, monitor click activity for unusual patterns, and disable compromised links quickly — a small but useful layer in your wider data protection posture. You can read our honest review of Lunyb or our 2026 buyer's guide to URL shorteners for more context.
Special Cases and Sector-Specific Rules
Telecoms and Internet Service Providers
Under the Privacy and Electronic Communications Regulations (PECR), communications providers must report any personal data breach to the ICO within 24 hours of detection using the dedicated PECR form.
Financial Services
FCA-regulated firms may have parallel reporting duties to the FCA and PRA under Principle 11 and SUP 15. These run alongside — not instead of — ICO obligations.
NHS and Health Sector
NHS bodies use the Data Security and Protection Toolkit (DSPT) incident reporting tool, which automatically forwards qualifying incidents to the ICO and NHS England.
Cross-Border Breaches
If your organisation operates across the UK and EU, you may need to notify both the ICO and an EU lead supervisory authority. Identify your lead authority in advance to streamline response.
FAQ
How long do I have to report a data breach to the ICO?
You must report a reportable personal data breach to the ICO within 72 hours of becoming aware of it. If you miss this deadline, you can still report — but you must provide reasons for the delay. Partial reports are acceptable, with further details supplied as soon as possible.
Do I have to report every data breach?
No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. However, you must still document every breach internally — including the reasoning for not reporting — so the ICO can review your records if needed.
What happens if I report a breach late?
Late reporting itself is an infringement of Article 33 and can attract fines of up to £8.7 million or 2% of global turnover. In practice, the ICO usually focuses on whether you acted reasonably, cooperated, and mitigated harm. A late but honest, well-evidenced report is far better than no report at all.
Do I need to tell affected individuals about the breach?
Only if the breach is likely to result in a high risk to their rights and freedoms — for example, if financial data, login credentials, or sensitive personal information was exposed. Notifications must be in clear language and include the nature of the breach, likely consequences, mitigation steps, and a contact point.
What if a data processor (vendor) caused the breach?
Your processor must notify you without undue delay once they become aware of a breach. As the controller, you remain responsible for reporting it to the ICO within 72 hours. Make sure your data processing agreements include clear breach notification timelines and cooperation obligations.
Final Thoughts
Reporting a data breach to the ICO can feel daunting, but the process is designed to be pragmatic. Act fast, be transparent, document your reasoning, and prioritise the people whose data is at stake. Organisations that respond quickly and honestly almost always fare better — both with the regulator and with their customers — than those that hesitate or try to downplay incidents. Build your breach response plan now, before you need it, and rehearse it like you would any other business continuity scenario.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Check if a Link Is Safe Before Clicking: A Complete 2026 Guide
Learn how to check if a link is safe before clicking with practical manual checks, free scanners, and browser protections. This complete guide covers phishing red flags, shortened URL inspection, and what to do if you've already clicked a suspicious link.
How to Shorten a URL: The Complete Step-by-Step Guide
Learn exactly how to shorten a URL in seconds with this complete guide. Covers free tools, custom branded links, mobile shortcuts, QR codes, analytics, and best practices for marketers and everyday users alike.
How to Remove Your Personal Information from Data Brokers: Complete 2026 Guide
Data brokers collect and sell your personal information to anyone willing to pay. This complete 2026 guide shows you exactly how to remove personal information from data brokers, your legal rights, and how to stay off these sites long-term.
How to Report a Scam Phone Number: A Complete Step-by-Step Guide
Scam calls and texts cost consumers billions every year, but reporting them is faster and more effective than most people realize. This step-by-step guide explains how to report a scam number to carriers, regulators, and law enforcement worldwide.