facebook-pixel

How to Report a Data Breach to the ICO: A Complete UK Guide

L
Lunyb Security Team
··9 min read

If your organisation has suffered a personal data breach, UK GDPR requires you to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it — provided the breach poses a risk to individuals' rights and freedoms. Missing that deadline, or getting the process wrong, can result in fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.

This guide walks you through exactly how to report a data breach to the ICO, when reporting is required, what information you'll need, and what to do after you've submitted your notification.

What Counts as a Personal Data Breach Under UK GDPR?

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It's broader than most people assume — it isn't just hacking or cyberattacks.

Under Article 4(12) of the UK GDPR, breaches fall into three categories:

  • Confidentiality breach — unauthorised or accidental disclosure or access to personal data (e.g. an email sent to the wrong recipient).
  • Integrity breach — unauthorised or accidental alteration of personal data.
  • Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data (e.g. a ransomware attack, or a lost laptop with unencrypted files).

Common Examples of Reportable Breaches

  • Ransomware encrypting customer records
  • Lost or stolen unencrypted laptops, USB sticks or phones
  • Emails containing personal data sent to the wrong person
  • Misconfigured cloud storage exposing files publicly
  • Phishing attacks leading to compromised employee accounts
  • Physical documents lost in transit or improperly disposed of

When Must You Report a Breach to the ICO?

You must report a breach to the ICO when it is likely to result in a risk to the rights and freedoms of natural persons. Not every breach meets this threshold — but you must document every breach you become aware of, even if you decide not to report it.

The 72-Hour Rule

The clock starts the moment your organisation becomes aware of the breach — not when the incident first occurred. "Awareness" means you have a reasonable degree of certainty that a security incident has led to personal data being compromised.

If you can't gather all the information within 72 hours, you can still submit an initial report and provide further details in phases. The ICO explicitly allows this — what they don't allow is silence.

Risk Assessment: Is Notification Required?

To decide whether to notify, consider:

  1. The type of breach — confidentiality, integrity, or availability.
  2. The nature and sensitivity of the data — health, financial, or special category data raises the risk significantly.
  3. The volume of individuals affected — more people generally means higher risk.
  4. The ease of identification — was the data encrypted, pseudonymised, or in the clear?
  5. The severity of consequences — could individuals suffer financial loss, identity theft, discrimination or reputational harm?

When You Must Also Notify the Individuals

If the breach is likely to result in a high risk to individuals, you must also notify them directly, without undue delay. This is a higher threshold than notifying the ICO. Notification to affected individuals must be in clear, plain language and explain what's happened, what data is affected, and what steps they should take.

How to Report a Data Breach to the ICO: Step-by-Step

Step 1: Contain the Breach Immediately

Before you touch a notification form, contain the incident. Isolate affected systems, revoke compromised credentials, disable exposed links, and preserve logs for the investigation. Document every action with timestamps — the ICO will want to see this.

Step 2: Assemble Your Breach Response Team

Bring together your Data Protection Officer (DPO), IT/security leads, legal counsel, and a senior decision-maker. If you're a small business without a dedicated DPO, the responsibility falls on your data controller — usually a director or the business owner.

Step 3: Gather the Required Information

The ICO's report form asks for specific details. Prepare the following before you start:

  • Your organisation's name, sector, and ICO registration number
  • Contact details for the person reporting and the DPO
  • Date and time the breach occurred and when you became aware
  • Description of the breach (what happened, how, and why)
  • Categories and approximate number of individuals affected
  • Categories and approximate number of personal data records affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Whether affected individuals have been informed

Step 4: Choose Your Reporting Method

The ICO offers three ways to report:

  1. Online form — the fastest and preferred method, available at ico.org.uk. Best for most non-cyber incidents.
  2. ICO helpline — call 0303 123 1113 (option 3). Useful for urgent or complex incidents where you need guidance.
  3. Cyber incident report — a dedicated form for cyber-related breaches, aligned with the National Cyber Security Centre.

Step 5: Submit and Record Your Reference Number

Once submitted, you'll receive a confirmation and case reference. Store this alongside your internal breach register. If you couldn't provide full information at first, use the reference number to submit updates.

Step 6: Follow Up in Writing

Expect the ICO to acknowledge your report within a few days. They may request further information, ask about your remediation plan, or open a formal investigation depending on severity.

Reportable vs Non-Reportable Breaches: Quick Comparison

ScenarioReport to ICO?Notify Individuals?
Encrypted laptop lost, strong encryption in placeUsually no (document only)No
Unencrypted USB with customer names and addresses lostYesPossibly
Ransomware attack on customer databaseYesYes (high risk)
Email with one recipient's data sent to another customerCase-by-caseUsually yes
Mass email exposing recipients in the To fieldOften yesYes
Health records disclosed to unauthorised partyYesYes
Website defacement, no personal data accessedNoNo

What Happens After You Report?

The ICO's response depends on the severity, your handling of the incident, and your organisation's overall data protection posture.

Possible ICO Outcomes

  • No further action — the ICO records the breach and closes the case.
  • Guidance issued — recommendations for improving your practices.
  • Formal investigation — for serious or systemic issues.
  • Enforcement action — reprimands, enforcement notices, or monetary penalties.

Timeline of a Typical Investigation

  1. Days 0–3: You report; the ICO acknowledges.
  2. Weeks 1–4: Initial assessment. The ICO may request further information.
  3. Months 1–6: Investigation phase, if opened. Interviews, document requests, and technical review.
  4. Months 6–12: Outcome — closure letter, reprimand, or enforcement decision.

Common Mistakes When Reporting to the ICO

1. Waiting Too Long

Many organisations delay reporting while they "investigate fully." This is a mistake — a partial report submitted within 72 hours is far better than a complete one at day five. The ICO expects follow-up detail.

2. Under-reporting the Impact

Understating the number of affected individuals or the sensitivity of the data breeds distrust. If your numbers change later, be transparent about the revision.

3. Failing to Document Non-Reportable Breaches

Article 33(5) UK GDPR requires you to maintain an internal register of all breaches, including those that didn't meet the reporting threshold. The ICO can ask to see this at any time.

4. Not Informing Affected Individuals

When high risk exists, individual notification is mandatory. Hiding behind ICO reporting alone is not compliance.

5. Poor Post-Breach Remediation

The ICO judges you not just on the breach, but on your response. Weak follow-up — no root cause analysis, no policy changes, no staff retraining — makes enforcement much more likely.

Preventing Future Breaches

Reporting is only the beginning. To reduce the likelihood of future incidents, invest in layered defences:

  • Access control — enforce least privilege and multi-factor authentication.
  • Encryption — encrypt data at rest and in transit; encrypted data is often not reportable.
  • Staff training — most breaches involve human error. Phishing simulations and regular refreshers work.
  • Secure link sharing — when sharing sensitive resources or campaign URLs, use a trusted shortener with tracking, expiry and password protection. Tools like Lunyb let you generate short links that can be disabled instantly if a breach is suspected — a small but useful control in your response toolkit.
  • Incident response plan — rehearse it. A tested playbook makes the difference between a 72-hour report and a chaotic scramble.
  • Data minimisation — the less personal data you hold, the smaller your breach exposure.

If you're reviewing tools used to share campaign links or internal resources, our 2026 URL shortener buyer's guide compares options with security features in mind, and our honest Lunyb review covers privacy considerations in detail.

Special Cases: Processors, Public Bodies and Small Businesses

If You're a Data Processor

Processors don't report directly to the ICO. Instead, they must notify the data controller "without undue delay" after becoming aware of the breach. The controller then assesses whether to report to the ICO.

Public Sector Bodies

Local authorities, NHS trusts, and government departments face heightened scrutiny. Additional reporting obligations may apply under NIS Regulations or sector-specific rules.

Small Businesses and Sole Traders

The same rules apply, but the ICO recognises proportionality. If you're a sole trader without a DPO, focus on documenting the breach clearly, reporting promptly, and demonstrating that you've taken reasonable steps to fix the underlying issue.

Frequently Asked Questions

What is the deadline to report a data breach to the ICO?

You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. If you can't provide full details in that window, submit an initial report and follow up with additional information as your investigation progresses.

What happens if I miss the 72-hour deadline?

Late reporting is itself a breach of UK GDPR. You should still report as soon as possible and explain the reason for the delay in your notification. The ICO considers your overall handling of the incident, so honesty and a strong remediation plan can mitigate the impact.

Do I have to report every data breach?

No. You only need to report breaches likely to result in a risk to individuals' rights and freedoms. However, you must document every breach internally — including those you decide not to report — with your risk assessment reasoning.

Can the ICO fine me just for reporting a breach?

Reporting itself doesn't trigger a fine. The ICO issues penalties for serious failings — such as inadequate security, systemic non-compliance, or ignoring your obligations. Timely, transparent reporting is generally viewed favourably and reduces the chance of enforcement.

Do I need to tell customers if I've had a breach?

You must inform affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms — for example, exposure of financial details, health data, or credentials that could enable identity theft. Communication should be clear, plain, and offer practical steps individuals can take to protect themselves.

Where can I find the ICO's official breach reporting form?

The ICO's breach reporting service is at ico.org.uk under "Report a breach." You can also call the ICO helpline on 0303 123 1113 for urgent guidance, particularly outside standard business hours for major cyber incidents.

Protect your links with Lunyb

Create secure, trackable short links and QR codes in seconds.

Get Started Free

Related Articles