How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO). Miss that deadline without a valid reason, and you could face significant fines on top of any harm caused by the incident itself. This guide walks you through exactly when, how, and what to report to the ICO — plus what to do if you're not sure whether an incident even qualifies as a notifiable breach.
What Counts as a Personal Data Breach Under UK GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to cyberattacks — it covers a wide range of everyday incidents.
Common examples include:
- A ransomware attack that encrypts customer records
- An email containing personal data sent to the wrong recipient
- A lost or stolen laptop, USB stick, or paper file containing personal data
- Unauthorised access to a database by a former employee
- Accidental deletion of records with no available backup
- A misconfigured cloud storage bucket exposing customer information
The ICO breaks breaches into three categories: confidentiality breaches (unauthorised disclosure), integrity breaches (unauthorised alteration), and availability breaches (loss of access to data). A single incident can fall into more than one category.
Do You Actually Need to Report It?
Not every breach must be reported to the ICO. Under Article 33 of the UK GDPR, you only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. If it's unlikely to cause any risk, you can document it internally without reporting.
Factors That Increase the Risk
Consider notification more seriously when the breach involves:
- Special category data (health, race, religion, sexual orientation, biometric data)
- Financial information or payment card data
- Children's data
- Large volumes of individuals
- Data that could enable identity theft or fraud
- Vulnerable individuals (e.g. domestic abuse survivors)
When Notification Is Not Required
You typically do not need to notify the ICO if the compromised data was strongly encrypted, the keys are still secure, and no availability issues exist. Similarly, if a lost device is remotely wiped before being accessed, the risk may be considered negligible. However, you must still document your reasoning — the ICO can ask to see your internal breach log at any time.
The 72-Hour Rule Explained
The 72-hour clock starts the moment you become aware of the breach — not when it happened, and not when you've finished investigating. "Aware" means you have a reasonable degree of certainty that a security incident has occurred which led to personal data being compromised.
Key points about the deadline:
- 72 hours includes weekends and bank holidays. A breach discovered on Friday afternoon must be reported by Monday afternoon.
- You can submit a partial report. If you don't have all the facts, tell the ICO what you know and provide updates in phases.
- Late reports must include reasons. If you miss the deadline, you must explain why in the submission.
- Processors must notify controllers "without undue delay." If you're a data processor, your obligation is to your controller, not directly to the ICO.
How to Report a Data Breach to the ICO: Step by Step
Step 1: Contain the Breach
Before you notify anyone, act to limit further damage. Disconnect affected systems, revoke compromised credentials, recall misdirected emails where possible, and preserve logs and evidence for the investigation.
Step 2: Assess the Risk
Document what data was involved, how many individuals are affected, what the likely consequences are, and what mitigating factors apply (encryption, quick recovery, limited exposure). This risk assessment determines whether ICO notification is required and whether you also need to inform the affected individuals.
Step 3: Choose the Right Reporting Channel
The ICO offers several ways to report, depending on the type of breach:
- Online reporting form: The primary route for most personal data breaches, available on ico.org.uk.
- Breach helpline (0303 123 1113): Open Monday to Friday, 9am-5pm. Useful for urgent guidance.
- Separate forms exist for PECR breaches (electronic communications), trust service breaches, and NIS breaches (essential services and digital service providers).
Step 4: Complete the Notification
The ICO's online form will ask you to provide the details listed in the next section. Take time to be accurate — misleading information can worsen the ICO's assessment of your handling.
Step 5: Notify Affected Individuals (If Required)
If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify them directly, in clear and plain language, without undue delay. This is a separate obligation from reporting to the ICO.
Step 6: Document Everything
Whether or not you report to the ICO, you must keep an internal record of every personal data breach. Include the facts, effects, remedial action, and your reasoning for the decisions you took.
What Information the ICO Requires
Your notification should include, as a minimum, the following information under Article 33(3) of the UK GDPR:
| Category | Details Required |
|---|---|
| Nature of the breach | What happened, when it happened, when you became aware |
| Data categories | Types of personal data affected (names, emails, financial data, special category data) |
| Data subjects | Approximate number of individuals affected and category (customers, employees, children) |
| Records affected | Approximate number of personal data records concerned |
| Likely consequences | Potential harm — identity theft, financial loss, distress, discrimination |
| Measures taken | Containment steps, mitigation actions, plans to prevent recurrence |
| Contact details | Your Data Protection Officer or main point of contact |
| Cross-border impact | Whether individuals in the EEA are affected (may trigger EU notifications too) |
Notifying the Individuals Affected
When high risk is present, communication to affected individuals must be direct (email, letter, or in-app message) rather than buried in a press release. It must include:
- A clear description of the breach in plain English
- The name and contact details of your Data Protection Officer
- The likely consequences for the individual
- The measures you've taken or propose to take
- Practical advice on how the individual can protect themselves (e.g. change passwords, monitor bank statements, watch for phishing attempts)
If direct notification would require disproportionate effort — for example, if you've lost contact details — a public communication such as a website notice can be acceptable, but you must still make reasonable efforts.
Common Mistakes to Avoid
1. Waiting Until You Have All the Facts
The ICO would rather receive an incomplete initial report on time than a perfect one three weeks later. Submit what you know and follow up.
2. Under-Reporting the Number Affected
If in doubt, provide a realistic estimate and clearly mark it as such. Suddenly revising a figure upwards later damages credibility.
3. Failing to Document "No-Report" Decisions
If you decide a breach doesn't need reporting, write down why. The ICO expects to see that reasoning if they investigate later.
4. Ignoring Third-Party Breaches
If a processor (a supplier processing data on your behalf) suffers a breach, you as the controller are still responsible for reporting to the ICO. Make sure your contracts require immediate processor notification.
5. Communicating Poorly with Affected Individuals
Vague, jargon-filled notifications often generate more complaints and regulator scrutiny than the breach itself. Be honest, specific, and actionable.
Potential Penalties for Non-Compliance
The ICO can issue fines of up to £8.7 million or 2% of global annual turnover (whichever is higher) for failing to notify a breach properly. More serious infringements of UK GDPR can attract fines of up to £17.5 million or 4% of turnover.
However, fines are not automatic. The ICO considers factors like the nature of the breach, your cooperation, whether you had appropriate technical and organisational measures in place, and your previous compliance record. Organisations that self-report promptly, communicate transparently, and demonstrate genuine remediation efforts typically fare much better than those who try to conceal incidents.
Preventing the Next Breach
The best breach report is the one you never have to file. Practical steps to reduce your risk include:
- Encrypt personal data at rest and in transit — encrypted data that's stolen often doesn't trigger notification obligations.
- Implement least-privilege access controls and review them regularly.
- Train staff on phishing, misdirected emails, and secure data handling — human error causes most breaches.
- Use secure link-sharing tools when distributing files or campaign URLs. Services like Lunyb let you create shortened, trackable links with expiry dates and password protection, reducing the risk of sensitive URLs being forwarded or indexed. For a wider comparison, see our 2026 URL shortener buyer's guide.
- Maintain and test backups so that ransomware or accidental deletion doesn't become an availability breach.
- Run tabletop exercises simulating breach scenarios so your team knows what to do in the first hour.
- Vet suppliers and ensure data processing agreements require prompt breach notification.
Special Cases and Sector-Specific Rules
Financial Services
Firms regulated by the FCA may also need to notify their regulator under Principle 11 and SUP 15. This is separate from the ICO obligation.
Health and Social Care
NHS bodies use the Data Security and Protection Toolkit incident reporting tool, which forwards notifications to the ICO automatically for serious breaches.
Telecoms and ISPs
Providers of publicly available electronic communications services must report certain breaches within 24 hours under PECR, using a dedicated form.
Essential Services and Digital Providers
Organisations covered by the NIS Regulations have parallel obligations to report significant cyber incidents to their competent authority — which for digital service providers is the ICO.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
You must report a notifiable personal data breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If you miss the deadline, you must include reasons for the delay in your notification.
What happens if I don't report a data breach?
Failing to report a notifiable breach can attract a fine of up to £8.7 million or 2% of global annual turnover. It can also worsen the ICO's response to the underlying incident. Even for non-notifiable breaches, you must keep internal records.
Do I need to tell customers about every data breach?
No. You only need to notify affected individuals when the breach is likely to result in a high risk to their rights and freedoms. Lower-risk breaches may still be reportable to the ICO but do not require individual notification.
Can I report a data breach anonymously?
No. Organisations reporting under UK GDPR must identify themselves and provide contact details. However, individuals who want to report a concern about an organisation's data handling can do so via the ICO's separate concerns process.
What if the breach happened at a supplier, not us?
If you are the data controller and your processor suffers a breach, you remain responsible for notifying the ICO. Your processor must inform you "without undue delay" — check your data processing agreement to confirm the timeframe and information they must provide.
Should I get legal advice before reporting?
For significant breaches, yes — but do not let waiting for legal advice cause you to miss the 72-hour deadline. It is generally better to submit an initial report on time and follow up with additional context than to be late.
Final Thoughts
Reporting a data breach to the ICO can feel daunting, but the process rewards honesty, speed, and good documentation. Have an incident response plan ready before you need it, train the people who might discover a breach first (typically IT and customer service), and remember that the ICO expects reasonable, proportionate action — not perfection. Organisations that handle breaches transparently often emerge with their reputation, and their regulator relationship, stronger than before.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Check if Your Password Was Leaked in a Data Breach (2026 Guide)
Wondering if your password has been exposed in a data breach? This step-by-step guide shows you how to check safely using trusted tools like Have I Been Pwned, browser password checkers, and password managers — plus exactly what to do if you find a compromised password.
How to Block Trackers on Your Phone: The Complete 2026 Guide
Trackers inside apps and websites quietly log your every move. This step-by-step guide shows exactly how to block trackers on your phone using free iOS and Android tools, encrypted DNS, and smart app hygiene.
How to Safely Share Your Location with Family: A Complete 2026 Guide
Sharing your location with family can bring peace of mind — or serious privacy risks if done wrong. This 2026 guide compares the safest tools, walks through step-by-step setup, and shows you how to protect kids, teens, and adults from location-data misuse.
How to Hide Photos with an Encrypted Photo Vault: Complete 2026 Guide
An encrypted photo vault turns your sensitive images into ciphertext only you can unlock. This guide walks through how vaults work, how to set one up correctly on iOS and Android, and which apps are trustworthy in 2026.