facebook-pixel

How to Report a Data Breach to the ICO: A Complete UK Guide

L
Lunyb Security Team
··10 min read

If your organisation has suffered a personal data breach, UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO). Miss that deadline without a valid reason, and you could face significant fines on top of any harm caused by the incident itself. This guide walks you through exactly when, how, and what to report to the ICO — plus what to do if you're not sure whether an incident even qualifies as a notifiable breach.

What Counts as a Personal Data Breach Under UK GDPR?

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It is not limited to cyberattacks — it covers a wide range of everyday incidents.

Common examples include:

  • A ransomware attack that encrypts customer records
  • An email containing personal data sent to the wrong recipient
  • A lost or stolen laptop, USB stick, or paper file containing personal data
  • Unauthorised access to a database by a former employee
  • Accidental deletion of records with no available backup
  • A misconfigured cloud storage bucket exposing customer information

The ICO breaks breaches into three categories: confidentiality breaches (unauthorised disclosure), integrity breaches (unauthorised alteration), and availability breaches (loss of access to data). A single incident can fall into more than one category.

Do You Actually Need to Report It?

Not every breach must be reported to the ICO. Under Article 33 of the UK GDPR, you only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. If it's unlikely to cause any risk, you can document it internally without reporting.

Factors That Increase the Risk

Consider notification more seriously when the breach involves:

  • Special category data (health, race, religion, sexual orientation, biometric data)
  • Financial information or payment card data
  • Children's data
  • Large volumes of individuals
  • Data that could enable identity theft or fraud
  • Vulnerable individuals (e.g. domestic abuse survivors)

When Notification Is Not Required

You typically do not need to notify the ICO if the compromised data was strongly encrypted, the keys are still secure, and no availability issues exist. Similarly, if a lost device is remotely wiped before being accessed, the risk may be considered negligible. However, you must still document your reasoning — the ICO can ask to see your internal breach log at any time.

The 72-Hour Rule Explained

The 72-hour clock starts the moment you become aware of the breach — not when it happened, and not when you've finished investigating. "Aware" means you have a reasonable degree of certainty that a security incident has occurred which led to personal data being compromised.

Key points about the deadline:

  1. 72 hours includes weekends and bank holidays. A breach discovered on Friday afternoon must be reported by Monday afternoon.
  2. You can submit a partial report. If you don't have all the facts, tell the ICO what you know and provide updates in phases.
  3. Late reports must include reasons. If you miss the deadline, you must explain why in the submission.
  4. Processors must notify controllers "without undue delay." If you're a data processor, your obligation is to your controller, not directly to the ICO.

How to Report a Data Breach to the ICO: Step by Step

Step 1: Contain the Breach

Before you notify anyone, act to limit further damage. Disconnect affected systems, revoke compromised credentials, recall misdirected emails where possible, and preserve logs and evidence for the investigation.

Step 2: Assess the Risk

Document what data was involved, how many individuals are affected, what the likely consequences are, and what mitigating factors apply (encryption, quick recovery, limited exposure). This risk assessment determines whether ICO notification is required and whether you also need to inform the affected individuals.

Step 3: Choose the Right Reporting Channel

The ICO offers several ways to report, depending on the type of breach:

  • Online reporting form: The primary route for most personal data breaches, available on ico.org.uk.
  • Breach helpline (0303 123 1113): Open Monday to Friday, 9am-5pm. Useful for urgent guidance.
  • Separate forms exist for PECR breaches (electronic communications), trust service breaches, and NIS breaches (essential services and digital service providers).

Step 4: Complete the Notification

The ICO's online form will ask you to provide the details listed in the next section. Take time to be accurate — misleading information can worsen the ICO's assessment of your handling.

Step 5: Notify Affected Individuals (If Required)

If the breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify them directly, in clear and plain language, without undue delay. This is a separate obligation from reporting to the ICO.

Step 6: Document Everything

Whether or not you report to the ICO, you must keep an internal record of every personal data breach. Include the facts, effects, remedial action, and your reasoning for the decisions you took.

What Information the ICO Requires

Your notification should include, as a minimum, the following information under Article 33(3) of the UK GDPR:

CategoryDetails Required
Nature of the breachWhat happened, when it happened, when you became aware
Data categoriesTypes of personal data affected (names, emails, financial data, special category data)
Data subjectsApproximate number of individuals affected and category (customers, employees, children)
Records affectedApproximate number of personal data records concerned
Likely consequencesPotential harm — identity theft, financial loss, distress, discrimination
Measures takenContainment steps, mitigation actions, plans to prevent recurrence
Contact detailsYour Data Protection Officer or main point of contact
Cross-border impactWhether individuals in the EEA are affected (may trigger EU notifications too)

Notifying the Individuals Affected

When high risk is present, communication to affected individuals must be direct (email, letter, or in-app message) rather than buried in a press release. It must include:

  • A clear description of the breach in plain English
  • The name and contact details of your Data Protection Officer
  • The likely consequences for the individual
  • The measures you've taken or propose to take
  • Practical advice on how the individual can protect themselves (e.g. change passwords, monitor bank statements, watch for phishing attempts)

If direct notification would require disproportionate effort — for example, if you've lost contact details — a public communication such as a website notice can be acceptable, but you must still make reasonable efforts.

Common Mistakes to Avoid

1. Waiting Until You Have All the Facts

The ICO would rather receive an incomplete initial report on time than a perfect one three weeks later. Submit what you know and follow up.

2. Under-Reporting the Number Affected

If in doubt, provide a realistic estimate and clearly mark it as such. Suddenly revising a figure upwards later damages credibility.

3. Failing to Document "No-Report" Decisions

If you decide a breach doesn't need reporting, write down why. The ICO expects to see that reasoning if they investigate later.

4. Ignoring Third-Party Breaches

If a processor (a supplier processing data on your behalf) suffers a breach, you as the controller are still responsible for reporting to the ICO. Make sure your contracts require immediate processor notification.

5. Communicating Poorly with Affected Individuals

Vague, jargon-filled notifications often generate more complaints and regulator scrutiny than the breach itself. Be honest, specific, and actionable.

Potential Penalties for Non-Compliance

The ICO can issue fines of up to £8.7 million or 2% of global annual turnover (whichever is higher) for failing to notify a breach properly. More serious infringements of UK GDPR can attract fines of up to £17.5 million or 4% of turnover.

However, fines are not automatic. The ICO considers factors like the nature of the breach, your cooperation, whether you had appropriate technical and organisational measures in place, and your previous compliance record. Organisations that self-report promptly, communicate transparently, and demonstrate genuine remediation efforts typically fare much better than those who try to conceal incidents.

Preventing the Next Breach

The best breach report is the one you never have to file. Practical steps to reduce your risk include:

  • Encrypt personal data at rest and in transit — encrypted data that's stolen often doesn't trigger notification obligations.
  • Implement least-privilege access controls and review them regularly.
  • Train staff on phishing, misdirected emails, and secure data handling — human error causes most breaches.
  • Use secure link-sharing tools when distributing files or campaign URLs. Services like Lunyb let you create shortened, trackable links with expiry dates and password protection, reducing the risk of sensitive URLs being forwarded or indexed. For a wider comparison, see our 2026 URL shortener buyer's guide.
  • Maintain and test backups so that ransomware or accidental deletion doesn't become an availability breach.
  • Run tabletop exercises simulating breach scenarios so your team knows what to do in the first hour.
  • Vet suppliers and ensure data processing agreements require prompt breach notification.

Special Cases and Sector-Specific Rules

Financial Services

Firms regulated by the FCA may also need to notify their regulator under Principle 11 and SUP 15. This is separate from the ICO obligation.

Health and Social Care

NHS bodies use the Data Security and Protection Toolkit incident reporting tool, which forwards notifications to the ICO automatically for serious breaches.

Telecoms and ISPs

Providers of publicly available electronic communications services must report certain breaches within 24 hours under PECR, using a dedicated form.

Essential Services and Digital Providers

Organisations covered by the NIS Regulations have parallel obligations to report significant cyber incidents to their competent authority — which for digital service providers is the ICO.

Frequently Asked Questions

How long do I have to report a data breach to the ICO?

You must report a notifiable personal data breach to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If you miss the deadline, you must include reasons for the delay in your notification.

What happens if I don't report a data breach?

Failing to report a notifiable breach can attract a fine of up to £8.7 million or 2% of global annual turnover. It can also worsen the ICO's response to the underlying incident. Even for non-notifiable breaches, you must keep internal records.

Do I need to tell customers about every data breach?

No. You only need to notify affected individuals when the breach is likely to result in a high risk to their rights and freedoms. Lower-risk breaches may still be reportable to the ICO but do not require individual notification.

Can I report a data breach anonymously?

No. Organisations reporting under UK GDPR must identify themselves and provide contact details. However, individuals who want to report a concern about an organisation's data handling can do so via the ICO's separate concerns process.

What if the breach happened at a supplier, not us?

If you are the data controller and your processor suffers a breach, you remain responsible for notifying the ICO. Your processor must inform you "without undue delay" — check your data processing agreement to confirm the timeframe and information they must provide.

Should I get legal advice before reporting?

For significant breaches, yes — but do not let waiting for legal advice cause you to miss the 72-hour deadline. It is generally better to submit an initial report on time and follow up with additional context than to be late.

Final Thoughts

Reporting a data breach to the ICO can feel daunting, but the process rewards honesty, speed, and good documentation. Have an incident response plan ready before you need it, train the people who might discover a breach first (typically IT and customer service), and remember that the ICO expects reasonable, proportionate action — not perfection. Organisations that handle breaches transparently often emerge with their reputation, and their regulator relationship, stronger than before.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles