How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to report it to the Information Commissioner's Office (ICO). Miss the deadline, or fail to provide the right information, and you could face fines of up to £17.5 million or 4% of global annual turnover. This guide explains exactly how to report a data breach to the ICO, what counts as a notifiable breach, and how to prepare your organisation for the worst-case scenario.
What Is a Personal Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It is not just about cyber attacks — lost laptops, misdirected emails, and even accidental deletions can all qualify.
The UK GDPR (which sits alongside the Data Protection Act 2018) identifies three categories of personal data breach:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
Crucially, not every incident needs to be reported to the ICO. The reporting obligation is triggered only when the breach is likely to result in a risk to the rights and freedoms of individuals.
When Must You Report a Data Breach to the ICO?
You must notify the ICO without undue delay, and within 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to people's rights and freedoms. The clock starts ticking the moment you have a reasonable degree of certainty that a security incident has occurred and that it has led to personal data being compromised.
Notifiable vs Non-Notifiable Breaches
| Scenario | Report to ICO? | Notify Individuals? |
|---|---|---|
| Lost encrypted laptop with strong password | Likely no | No |
| Email with client list sent to wrong recipient | Yes | Possibly |
| Ransomware attack on customer database | Yes | Yes (high risk) |
| Stolen unencrypted USB with HR records | Yes | Yes |
| Misfiled internal document, quickly retrieved | Usually no | No |
| Health data exposed on public website | Yes | Yes |
When You Must Also Tell Affected Individuals
If the breach is likely to result in a high risk to people's rights and freedoms — for example, exposing financial details, health records, or information that could enable identity theft — you must also notify the affected individuals directly, without undue delay. The communication must be in clear, plain language.
How to Report a Data Breach to the ICO: Step-by-Step
Reporting a data breach to the ICO is a structured process. Follow these seven steps to stay compliant and minimise reputational damage.
- Contain the breach — isolate affected systems, revoke compromised credentials, and stop ongoing data loss before doing anything else.
- Assess the risk — determine what data is involved, how many people are affected, and the likely consequences. Document your reasoning.
- Decide whether the 72-hour rule applies — if there is any risk to individuals, treat the breach as notifiable.
- Gather the required information — nature of the breach, categories and approximate number of data subjects, contact details of your Data Protection Officer (DPO), likely consequences, and measures taken.
- Submit the report — use the ICO's online reporting tool at ico.org.uk, or call the personal data breach helpline on 0303 123 1113.
- Notify affected individuals if required — draft a clear, jargon-free notice covering what happened, what data is involved, and what they should do.
- Document everything — even non-notifiable breaches must be logged internally. The ICO can request your breach log at any time.
Using the ICO Online Reporting Tool
The ICO's web form is the preferred channel for non-urgent and low-to-medium severity breaches. You will be asked a series of structured questions covering:
- Your organisation's details and DPO contact information.
- Date and time you became aware of the breach.
- A description of the incident and its cause.
- Categories and approximate numbers of data subjects and records.
- Potential consequences for affected individuals.
- Mitigation steps already taken and planned.
If you do not yet have all the details, you can submit an initial report and provide further information in phases — the UK GDPR explicitly allows this.
When to Phone Instead
Call the ICO breach helpline (0303 123 1113, Monday to Friday, 9am to 5pm) if the breach is large-scale, ongoing, or involves particularly sensitive information such as children's data, health records, or special category data under Article 9.
What Information the ICO Requires
Article 33(3) of the UK GDPR sets out the minimum information your breach notification must contain. Prepare this in advance to avoid scrambling when the clock is ticking.
| Required Field | Example |
|---|---|
| Nature of the breach | "Phishing attack compromised an employee mailbox" |
| Categories of data subjects | Customers, employees, suppliers |
| Approximate number affected | ~3,400 customers |
| Categories of personal data | Names, addresses, payment card details |
| Likely consequences | Financial fraud, identity theft risk |
| Measures taken | Password reset, MFA enforced, forensics engaged |
| DPO/contact details | Name, email, phone number |
What Happens After You Report
Once you submit your notification, the ICO will acknowledge receipt and assign a case reference. Their next steps depend on the severity of the breach.
Possible ICO Responses
- No further action — the ICO may simply log the breach if it is low risk and well-handled.
- Request for further information — common when initial reports are incomplete.
- Formal investigation — triggered by high-impact or repeated breaches.
- Enforcement action — warnings, reprimands, enforcement notices, or fines.
Penalties for Non-Compliance
Failing to report a notifiable breach within 72 hours can itself attract a fine of up to £8.7 million or 2% of global annual turnover, whichever is higher. Breaches of the underlying security obligations under Article 32 can attract the upper tier: £17.5 million or 4% of global turnover. The ICO also publishes enforcement decisions publicly, which can cause lasting reputational damage.
Common Mistakes to Avoid
The ICO frequently flags the same errors in its enforcement reports. Avoiding them will significantly reduce your regulatory risk.
- Waiting too long to start the clock — "awareness" begins when you have reasonable certainty, not when your investigation is complete.
- Under-reporting numbers — better to state "approximately 5,000" than to wait for an exact figure.
- Forgetting to log non-notifiable incidents — the ICO can audit your breach register.
- Sending vague notifications to individuals — people must be told what happened and what to do.
- Failing to engage the DPO early — if you have a DPO, they must be involved in all breach decisions.
- Not reviewing root causes — the ICO expects evidence that you have learned from the incident.
How to Prepare Before a Breach Happens
The organisations that handle breaches best are the ones that planned for them. A documented incident response plan is now considered a baseline expectation under Article 32 of the UK GDPR.
Build a Breach Response Playbook
- Assign clear roles: incident lead, DPO, legal, comms, and IT forensics.
- Maintain an up-to-date data inventory so you can quickly identify affected records.
- Pre-draft template notifications for the ICO and affected individuals.
- Establish 24/7 escalation paths — breaches rarely happen at 10am on a Tuesday.
- Run tabletop exercises at least annually to test the plan.
Reduce the Likelihood of a Breach
Prevention remains better than cure. Strong technical controls reduce both the chance and the severity of incidents:
- Enforce multi-factor authentication on all business accounts.
- Encrypt data at rest and in transit.
- Patch systems promptly and maintain an asset register.
- Provide regular phishing-awareness training to staff.
- Use trusted tools for sharing links and tracking access. A reputable link management service like Lunyb can help you control where shared URLs lead, detect suspicious click patterns, and avoid the kind of accidental exposure that comes from copy-pasted long links in emails. You can read our honest review of Lunyb for more context.
- Audit third-party processors regularly — many breaches originate in the supply chain.
Special Cases: Processors, Joint Controllers and Cross-Border Breaches
Your reporting obligations vary depending on your role under UK GDPR.
If You Are a Processor
Processors do not report directly to the ICO. Instead, you must notify the controller without undue delay after becoming aware of a breach. Your contract (the Article 28 agreement) should specify timing — typically within 24 hours to give the controller time to meet the 72-hour deadline.
If You Are a Joint Controller
Joint controllers should agree in advance which party will lead on breach reporting. The arrangement should be documented in the joint controller agreement and made transparent to data subjects.
Cross-Border Breaches
If your organisation also processes data of EU residents, you may need to notify both the ICO and a lead EU supervisory authority under the EU GDPR. Coordinate notifications carefully to ensure consistency.
Related Reading
If you are reviewing your wider digital toolkit as part of breach prevention, you may find these guides useful:
- Best URL Shorteners Reviewed and Compared: 2026 Buyer's Guide
- Rebrandly Review 2026: Is It Worth the Price?
- Is Lunyb Legit? An Honest Review of the URL Shortener in 2026
Frequently Asked Questions
What counts as "becoming aware" of a data breach?
You are considered aware of a breach when you have a reasonable degree of certainty that a security incident has occurred and that personal data has been compromised. A brief initial investigation to confirm a suspected breach is acceptable, but you cannot delay indefinitely — the ICO expects organisations to act with urgency once a credible report is received.
What if I miss the 72-hour deadline?
You should still report the breach, and include a clear explanation of the delay. The UK GDPR explicitly allows late notification provided reasons are given. However, persistent or unexplained lateness is itself a breach of Article 33 and can attract enforcement action, including fines.
Do I need to report a breach if data was encrypted?
Generally no, provided the encryption was strong, the keys were not compromised, and there is no residual risk to individuals. For example, a lost device with full-disk encryption and a complex passphrase usually does not require notification. You should still log the incident internally and document your risk assessment.
Can I report a breach anonymously on behalf of my employer?
No — ICO breach notifications must come from the data controller and include named contact details (usually the DPO or a senior manager). If you are an employee who suspects your employer is hiding a breach, you can raise concerns separately with the ICO as a whistleblower via their public-facing complaints channel.
How long should I keep records of data breaches?
There is no fixed statutory retention period, but the ICO recommends keeping breach records for at least three years, and longer for serious incidents. Records should include the facts of the breach, its effects, and the remedial action taken — this evidence is essential if the ICO later audits your compliance.
Final Thoughts
Reporting a data breach to the ICO is rarely anyone's idea of a good day, but a calm, well-prepared response can transform a potentially catastrophic incident into a manageable one. Know your 72-hour deadline, keep your breach register up to date, train your staff, and invest in the technical controls that make breaches less likely in the first place. The organisations that suffer least are those that treated incident response as a discipline, not an afterthought.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Who Called Me? How to Identify an Unknown Number in 2026
Unknown numbers can be anything from a delivery driver to an outright scam. This complete 2026 guide explains how to identify an unknown caller, spot scam patterns, and protect your phone from future spam calls — without ever putting yourself at risk.
How to Check if Your Password Was Leaked in a Data Breach (2026 Guide)
Billions of passwords leak online every year. Learn how to check if yours was exposed in a data breach using free tools like Have I Been Pwned, plus the exact steps to take if you find a match.
How to Block Trackers on Your Phone: Complete 2026 Guide
Phone tracking has become the default — but it doesn't have to be. This step-by-step guide shows you how to block trackers on iOS and Android using built-in settings, encrypted DNS, and smart app hygiene. Practical, jargon-free, and updated for 2026.
How to Create a QR Code for Your Business: Complete 2026 Guide
Learn exactly how to create a QR code for your business in 2026 — from choosing static vs dynamic codes to design best practices, tracking, and avoiding the mistakes that kill scan rates. A complete step-by-step guide.