How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation suffers a personal data breach in the UK, you may have a legal duty to report it to the Information Commissioner's Office (ICO) within 72 hours. Failing to do so can lead to significant fines, reputational damage, and enforcement action. This guide walks you through the entire process — from identifying whether a breach is notifiable, to submitting the report, to handling the aftermath.
What Is a Data Breach Under UK GDPR?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Under UK GDPR and the Data Protection Act 2018, this definition is deliberately broad and covers far more than just cyberattacks.
Common examples include:
- A laptop or USB stick containing customer data being lost or stolen
- An email sent to the wrong recipient containing personal information
- Ransomware encrypting employee or client records
- A misconfigured cloud storage bucket exposing files publicly
- An unauthorised staff member accessing HR records
- Paperwork being disposed of without proper shredding
The key trigger is a breach of the security principle set out in Article 5(1)(f) of the UK GDPR — confidentiality, integrity, or availability of personal data has been compromised.
The Three Categories of Breach
The ICO recognises three categories, and a single incident can fall into more than one:
- Confidentiality breach — unauthorised or accidental disclosure of, or access to, personal data.
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data.
When Do You Need to Report a Breach to the ICO?
You must report a personal data breach to the ICO within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The 72-hour clock starts the moment you have a reasonable degree of certainty that a breach has occurred — not when you've finished investigating.
The Risk Threshold
Not every incident requires notification. You need to assess the likelihood and severity of harm to affected individuals. Consider:
- Type of breach — was data disclosed, lost, or altered?
- Nature and volume of data — special category data (health, biometrics, sexuality) or financial details carry higher risk.
- Ease of identification — was the data encrypted or pseudonymised?
- Severity of consequences — could individuals suffer identity theft, fraud, discrimination, or reputational damage?
- Number of individuals affected — larger numbers generally increase risk.
- Vulnerable individuals — children or those in difficult circumstances warrant extra caution.
Breach Notification Decision Table
| Scenario | Risk Level | Notify ICO? | Notify Individuals? |
|---|---|---|---|
| Encrypted laptop lost, strong password, no PII exposure | Low | No (but document) | No |
| Email with 50 client names/addresses sent to wrong recipient | Medium | Yes | Consider |
| Ransomware attack encrypting customer database | High | Yes | Yes |
| Health records disclosed to unauthorised parties | Very High | Yes (urgent) | Yes (urgent) |
| Website contact form spam (no PII compromised) | Negligible | No | No |
Step-by-Step: How to Report a Data Breach to the ICO
Reporting a breach involves more than filling out a form — it's a structured process that starts the moment an incident is detected. Follow these steps carefully.
Step 1: Contain the Breach
Before anything else, stop the bleeding. Isolate affected systems, revoke compromised credentials, recall misdirected emails where possible, and secure any physical documents. Do not tamper with evidence — forensic data may be needed later.
Step 2: Assess and Document
Record everything you know: what happened, when, who is affected, what data was involved, and what the potential consequences are. Even breaches you decide not to report to the ICO must be logged internally under Article 33(5).
Step 3: Determine If Notification Is Required
Apply the risk threshold test. If in doubt, err on the side of reporting — the ICO views proactive reporting more favourably than concealment. Your Data Protection Officer (DPO), if you have one, should lead this assessment.
Step 4: Choose Your Reporting Method
The ICO offers three ways to report a personal data breach:
- Online form — the preferred method, available at ico.org.uk. It guides you through the required information.
- Telephone — call the ICO helpline on 0303 123 1113 during working hours. Useful for urgent or complex breaches where you need guidance.
- Post — written reports can be sent to the ICO's Wilmslow office, but this is rarely appropriate given the 72-hour deadline.
Step 5: Complete the ICO Breach Report Form
You will need to provide:
- Your organisation's name and contact details
- The nature of the breach (confidentiality, integrity, availability)
- Categories and approximate number of individuals affected
- Categories and approximate number of personal data records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- Name and contact details of your DPO or other contact point
If you don't have all the information within 72 hours, submit what you have and provide the rest in phases — this is explicitly permitted under Article 33(4).
Step 6: Notify Affected Individuals (If Required)
If the breach is likely to result in a high risk to individuals, you must inform them directly "without undue delay." The communication must be in clear, plain language and include:
- A description of the breach
- Your DPO or contact person's details
- Likely consequences
- Measures taken and recommended steps for individuals (e.g., changing passwords, monitoring accounts)
Step 7: Cooperate With the ICO
After submission, the ICO may request further information or open an investigation. Respond promptly, honestly, and keep detailed records of all correspondence.
What Happens After You Report?
Once submitted, the ICO will assign a case reference and review your report. Possible outcomes range from no further action to a full regulatory investigation. In 2024–2025, the ICO reported that the majority of self-reported breaches result in advisory guidance rather than fines — particularly when organisations demonstrate transparency and remediation.
Possible Regulatory Actions
- No further action — the breach was minor or handled appropriately.
- Advisory letter — the ICO provides guidance on improvements.
- Formal reprimand — increasingly used since 2022 as a proportionate response.
- Enforcement notice — requires specific corrective action.
- Monetary penalty — up to £17.5 million or 4% of global annual turnover, whichever is higher.
Common Mistakes to Avoid
Many breach reports go wrong for avoidable reasons. Watch out for the following pitfalls:
- Waiting until the investigation is complete — the 72-hour deadline runs from awareness, not from full understanding.
- Under-reporting the scope — always base numbers on the worst plausible interpretation, then correct downwards later if needed.
- Failing to log non-reportable breaches — the ICO can request your breach register at any time.
- Poor internal communication — ensure IT, legal, and DPO teams share information rapidly.
- Not notifying data subjects when required — this is a separate obligation from notifying the ICO.
- Neglecting third-party processors — if a supplier suffered the breach, they must notify you "without undue delay," and you remain the controller responsible for reporting.
How to Prepare Before a Breach Happens
The best time to plan for a breach is before one occurs. Organisations with a written incident response plan consistently report breaches faster and receive better regulatory outcomes.
Building a Breach Response Plan
- Assign responsibility — nominate a breach response lead and a deputy.
- Create a decision tree — pre-agreed criteria for what counts as reportable.
- Prepare templates — draft internal notification, ICO report, and data subject letters in advance.
- Maintain a data map — know where personal data lives so you can assess impact quickly.
- Train staff — everyone should know how to report suspected incidents internally within one hour.
- Run tabletop exercises — simulate breaches at least annually.
Technical Safeguards That Reduce Notification Obligations
If personal data is properly encrypted and the decryption keys remain uncompromised, the risk to individuals may be low enough that ICO notification isn't required. Similarly, robust access controls, logging, and secure link-sharing practices reduce both the likelihood and impact of breaches. For example, when sharing sensitive URLs internally or externally, using a trusted shortener with analytics and expiration controls like Lunyb can help you monitor who accessed a link and revoke it if a device is lost. For a broader look at secure link management tools, see our 2026 URL shortener buyer's guide.
Reporting Breaches Involving Data Processors
If you use third-party processors — cloud providers, payroll firms, marketing platforms — their breach is legally your breach as the controller. Your contracts (Article 28 Data Processing Agreements) should require processors to notify you "without undue delay" after becoming aware. The 72-hour clock for your ICO report starts when you become aware, so ensure your DPAs specify tight processor notification windows (typically 24 hours or less).
Cross-Border Breaches
If your organisation processes data across multiple EU/EEA jurisdictions, the UK ICO may not be your sole regulator. Since Brexit, UK-based controllers with EU operations may need to notify both the ICO and an EU lead supervisory authority. Coordinate with legal counsel to identify the correct authorities and avoid duplicate or missed notifications.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
You must report within 72 hours of becoming aware of the breach. "Awareness" means having a reasonable degree of certainty that a security incident has led to personal data being compromised — not the moment you finish investigating. If you miss the deadline, you can still report, but you must explain the delay.
What if I'm not sure whether the breach is reportable?
When in doubt, report it. The ICO explicitly encourages proactive reporting and treats organisations more leniently when they demonstrate transparency. You can also contact the ICO helpline on 0303 123 1113 for informal guidance before submitting a formal report.
Do I need to tell the affected individuals?
Only if the breach is likely to result in a high risk to their rights and freedoms — for example, financial loss, identity theft, or exposure of sensitive data. Notification must be in clear language and provided "without undue delay." You do not need to notify individuals if the data was encrypted, if you've since mitigated the risk, or if it would involve disproportionate effort (in which case public communication may suffice).
What are the penalties for failing to report a data breach?
Failure to notify can result in administrative fines of up to £8.7 million or 2% of global annual turnover, whichever is higher. If the underlying breach also breaches other UK GDPR principles, penalties can reach £17.5 million or 4% of turnover. Beyond fines, non-reporting damages trust and often leads to more severe regulatory scrutiny.
Do I need to report breaches that only affect employees?
Yes. UK GDPR applies to all personal data, including that of employees, contractors, and job applicants. HR-related breaches — such as payslips sent to the wrong person or leaked personnel records — are just as reportable as customer data breaches if they meet the risk threshold.
Final Thoughts
Reporting a data breach to the ICO can feel daunting, especially under a 72-hour deadline while managing an active incident. But the process is manageable when you have a plan, know the thresholds, and act transparently. Preparation is everything: rehearse your response, document your decisions, and treat every incident — reportable or not — as an opportunity to strengthen your defences.
For further reading on digital privacy and secure link-sharing practices that can reduce your breach exposure, explore our honest review of Lunyb and our 2026 Rebrandly review.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
Who Called Me? How to Identify an Unknown Number in 2026
Not sure who called you from an unknown number? This 2026 guide covers 10 proven ways to identify mystery callers, spot phone scams, and block unwanted calls. Learn free lookup tools, carrier features, and privacy tips that actually work.
How to Check if a Phone Number Is a Scam in 2026: Complete Guide
Phone scams in 2026 are more sophisticated than ever, powered by AI voice cloning and caller ID spoofing. This complete guide shows you how to verify suspicious phone numbers using reverse lookup tools, scam databases, and proven verification techniques to protect yourself and your family.
How to Create a QR Code for Your Business: Complete 2026 Guide
Learn how to create a QR code for your business with this complete 2026 guide. Covers static vs dynamic codes, design best practices, tracking, security, and advanced strategies to maximize scans and ROI.
How to Check if Your Password Was Leaked in a Data Breach (2026 Guide)
Wondering if your credentials are floating around the dark web? This step-by-step guide shows you how to check if your password was leaked in a data breach using trusted, privacy-preserving tools — plus exactly what to do next if it was.