How to Report a Data Breach to the ICO: A Complete UK Guide
If your organisation has suffered a personal data breach, UK GDPR requires you to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it — provided the breach poses a risk to individuals' rights and freedoms. Missing that deadline, or getting the process wrong, can result in fines of up to £17.5 million or 4% of global annual turnover, whichever is higher.
This guide walks you through exactly how to report a data breach to the ICO, when reporting is required, what information you'll need, and what to do after you've submitted your notification.
What Counts as a Personal Data Breach Under UK GDPR?
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It's broader than most people assume — it isn't just hacking or cyberattacks.
Under Article 4(12) of the UK GDPR, breaches fall into three categories:
- Confidentiality breach — unauthorised or accidental disclosure or access to personal data (e.g. an email sent to the wrong recipient).
- Integrity breach — unauthorised or accidental alteration of personal data.
- Availability breach — accidental or unauthorised loss of access to, or destruction of, personal data (e.g. a ransomware attack, or a lost laptop with unencrypted files).
Common Examples of Reportable Breaches
- Ransomware encrypting customer records
- Lost or stolen unencrypted laptops, USB sticks or phones
- Emails containing personal data sent to the wrong person
- Misconfigured cloud storage exposing files publicly
- Phishing attacks leading to compromised employee accounts
- Physical documents lost in transit or improperly disposed of
When Must You Report a Breach to the ICO?
You must report a breach to the ICO when it is likely to result in a risk to the rights and freedoms of natural persons. Not every breach meets this threshold — but you must document every breach you become aware of, even if you decide not to report it.
The 72-Hour Rule
The clock starts the moment your organisation becomes aware of the breach — not when the incident first occurred. "Awareness" means you have a reasonable degree of certainty that a security incident has led to personal data being compromised.
If you can't gather all the information within 72 hours, you can still submit an initial report and provide further details in phases. The ICO explicitly allows this — what they don't allow is silence.
Risk Assessment: Is Notification Required?
To decide whether to notify, consider:
- The type of breach — confidentiality, integrity, or availability.
- The nature and sensitivity of the data — health, financial, or special category data raises the risk significantly.
- The volume of individuals affected — more people generally means higher risk.
- The ease of identification — was the data encrypted, pseudonymised, or in the clear?
- The severity of consequences — could individuals suffer financial loss, identity theft, discrimination or reputational harm?
When You Must Also Notify the Individuals
If the breach is likely to result in a high risk to individuals, you must also notify them directly, without undue delay. This is a higher threshold than notifying the ICO. Notification to affected individuals must be in clear, plain language and explain what's happened, what data is affected, and what steps they should take.
How to Report a Data Breach to the ICO: Step-by-Step
Step 1: Contain the Breach Immediately
Before you touch a notification form, contain the incident. Isolate affected systems, revoke compromised credentials, disable exposed links, and preserve logs for the investigation. Document every action with timestamps — the ICO will want to see this.
Step 2: Assemble Your Breach Response Team
Bring together your Data Protection Officer (DPO), IT/security leads, legal counsel, and a senior decision-maker. If you're a small business without a dedicated DPO, the responsibility falls on your data controller — usually a director or the business owner.
Step 3: Gather the Required Information
The ICO's report form asks for specific details. Prepare the following before you start:
- Your organisation's name, sector, and ICO registration number
- Contact details for the person reporting and the DPO
- Date and time the breach occurred and when you became aware
- Description of the breach (what happened, how, and why)
- Categories and approximate number of individuals affected
- Categories and approximate number of personal data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate harm
- Whether affected individuals have been informed
Step 4: Choose Your Reporting Method
The ICO offers three ways to report:
- Online form — the fastest and preferred method, available at ico.org.uk. Best for most non-cyber incidents.
- ICO helpline — call 0303 123 1113 (option 3). Useful for urgent or complex incidents where you need guidance.
- Cyber incident report — a dedicated form for cyber-related breaches, aligned with the National Cyber Security Centre.
Step 5: Submit and Record Your Reference Number
Once submitted, you'll receive a confirmation and case reference. Store this alongside your internal breach register. If you couldn't provide full information at first, use the reference number to submit updates.
Step 6: Follow Up in Writing
Expect the ICO to acknowledge your report within a few days. They may request further information, ask about your remediation plan, or open a formal investigation depending on severity.
Reportable vs Non-Reportable Breaches: Quick Comparison
| Scenario | Report to ICO? | Notify Individuals? |
|---|---|---|
| Encrypted laptop lost, strong encryption in place | Usually no (document only) | No |
| Unencrypted USB with customer names and addresses lost | Yes | Possibly |
| Ransomware attack on customer database | Yes | Yes (high risk) |
| Email with one recipient's data sent to another customer | Case-by-case | Usually yes |
| Mass email exposing recipients in the To field | Often yes | Yes |
| Health records disclosed to unauthorised party | Yes | Yes |
| Website defacement, no personal data accessed | No | No |
What Happens After You Report?
The ICO's response depends on the severity, your handling of the incident, and your organisation's overall data protection posture.
Possible ICO Outcomes
- No further action — the ICO records the breach and closes the case.
- Guidance issued — recommendations for improving your practices.
- Formal investigation — for serious or systemic issues.
- Enforcement action — reprimands, enforcement notices, or monetary penalties.
Timeline of a Typical Investigation
- Days 0–3: You report; the ICO acknowledges.
- Weeks 1–4: Initial assessment. The ICO may request further information.
- Months 1–6: Investigation phase, if opened. Interviews, document requests, and technical review.
- Months 6–12: Outcome — closure letter, reprimand, or enforcement decision.
Common Mistakes When Reporting to the ICO
1. Waiting Too Long
Many organisations delay reporting while they "investigate fully." This is a mistake — a partial report submitted within 72 hours is far better than a complete one at day five. The ICO expects follow-up detail.
2. Under-reporting the Impact
Understating the number of affected individuals or the sensitivity of the data breeds distrust. If your numbers change later, be transparent about the revision.
3. Failing to Document Non-Reportable Breaches
Article 33(5) UK GDPR requires you to maintain an internal register of all breaches, including those that didn't meet the reporting threshold. The ICO can ask to see this at any time.
4. Not Informing Affected Individuals
When high risk exists, individual notification is mandatory. Hiding behind ICO reporting alone is not compliance.
5. Poor Post-Breach Remediation
The ICO judges you not just on the breach, but on your response. Weak follow-up — no root cause analysis, no policy changes, no staff retraining — makes enforcement much more likely.
Preventing Future Breaches
Reporting is only the beginning. To reduce the likelihood of future incidents, invest in layered defences:
- Access control — enforce least privilege and multi-factor authentication.
- Encryption — encrypt data at rest and in transit; encrypted data is often not reportable.
- Staff training — most breaches involve human error. Phishing simulations and regular refreshers work.
- Secure link sharing — when sharing sensitive resources or campaign URLs, use a trusted shortener with tracking, expiry and password protection. Tools like Lunyb let you generate short links that can be disabled instantly if a breach is suspected — a small but useful control in your response toolkit.
- Incident response plan — rehearse it. A tested playbook makes the difference between a 72-hour report and a chaotic scramble.
- Data minimisation — the less personal data you hold, the smaller your breach exposure.
If you're reviewing tools used to share campaign links or internal resources, our 2026 URL shortener buyer's guide compares options with security features in mind, and our honest Lunyb review covers privacy considerations in detail.
Special Cases: Processors, Public Bodies and Small Businesses
If You're a Data Processor
Processors don't report directly to the ICO. Instead, they must notify the data controller "without undue delay" after becoming aware of the breach. The controller then assesses whether to report to the ICO.
Public Sector Bodies
Local authorities, NHS trusts, and government departments face heightened scrutiny. Additional reporting obligations may apply under NIS Regulations or sector-specific rules.
Small Businesses and Sole Traders
The same rules apply, but the ICO recognises proportionality. If you're a sole trader without a DPO, focus on documenting the breach clearly, reporting promptly, and demonstrating that you've taken reasonable steps to fix the underlying issue.
Frequently Asked Questions
What is the deadline to report a data breach to the ICO?
You must report a notifiable personal data breach to the ICO within 72 hours of becoming aware of it. If you can't provide full details in that window, submit an initial report and follow up with additional information as your investigation progresses.
What happens if I miss the 72-hour deadline?
Late reporting is itself a breach of UK GDPR. You should still report as soon as possible and explain the reason for the delay in your notification. The ICO considers your overall handling of the incident, so honesty and a strong remediation plan can mitigate the impact.
Do I have to report every data breach?
No. You only need to report breaches likely to result in a risk to individuals' rights and freedoms. However, you must document every breach internally — including those you decide not to report — with your risk assessment reasoning.
Can the ICO fine me just for reporting a breach?
Reporting itself doesn't trigger a fine. The ICO issues penalties for serious failings — such as inadequate security, systemic non-compliance, or ignoring your obligations. Timely, transparent reporting is generally viewed favourably and reduces the chance of enforcement.
Do I need to tell customers if I've had a breach?
You must inform affected individuals directly if the breach is likely to result in a high risk to their rights and freedoms — for example, exposure of financial details, health data, or credentials that could enable identity theft. Communication should be clear, plain, and offer practical steps individuals can take to protect themselves.
Where can I find the ICO's official breach reporting form?
The ICO's breach reporting service is at ico.org.uk under "Report a breach." You can also call the ICO helpline on 0303 123 1113 for urgent guidance, particularly outside standard business hours for major cyber incidents.
Protect your links with Lunyb
Create secure, trackable short links and QR codes in seconds.
Get Started FreeRelated Articles
How to Hide Photos with an Encrypted Photo Vault: Complete 2026 Guide
Learn how to hide photos with an encrypted photo vault using zero-knowledge, AES-256 apps. This step-by-step guide covers setup, backups, common mistakes, and how to choose the right vault for your privacy needs.
How to Do a Reverse Image Search to Find Your Photos Online
Learn how to do a reverse image search to find your photos online using Google, Yandex, TinEye, and more. This step-by-step guide covers desktop and mobile methods, advanced techniques for spotting cropped or edited copies, and what to do when you find stolen images.
How to Check if a Link Is Safe Before Clicking: The Complete 2026 Guide
Discover 10 proven ways to check if a link is safe before clicking, including free scanners, URL expanders, and red flags to watch for. Protect yourself from phishing, malware, and scams in 2026 with this complete step-by-step guide.
How to Erase Your Browsing History Completely: The 2026 Guide
Deleting your browser history isn't enough — cached files, DNS records, and cloud syncs can still expose your activity. This 2026 guide shows you how to erase your browsing history completely across every device, account, and hidden storage layer.