A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. This includes:

Sending personal data to the wrong recipient
Losing a laptop, phone, or USB drive containing personal data
Cyber attacks that access customer or employee records
Ransomware that encrypts personal data you cannot recover
An employee accessing records without authorisation
Accidental deletion of data you needed to keep

If you experience a breach, you must act quickly. UK GDPR gives you just 72 hours to notify the Information Commissioner's Office (ICO) if the breach poses a risk to individuals.

GDPR Data Breach Notification

ICO notification requirements and the 72-hour reporting rule. Pure data reference.

Reporting deadline: Within 72 hours of becoming aware of the breach
Clock starts: When you have reasonable certainty that personal data has been compromised
Individual notification: Required without undue delay if risk to individuals is high
Penalty for non-compliance: Up to £8.7 million or 2% of global annual revenue (whichever is higher) for breach notification failures. More serious violations of data protection principles can result in fines up to £17.5 million or 4% (whichever is higher)

UK GDPR requires data controllers to report personal data breaches to the ICO within 72 hours when the breach poses a risk to individuals. The 72-hour clock starts when you have 'reasonable certainty' a security incident has compromised personal data, not when you discover full details. No notification required if breach is unlikely to result in risk to individuals' rights and freedoms.

Report a breach to the ICO

UK GDPR data breach notification requirements

72-hour breach notification requirement under UK GDPR Article 33. Pure data reference.

UK GDPR requires data controllers to report certain personal data breaches to the ICO and, in some cases, to the individuals affected.

ICO notification deadline: Within 72 hours of becoming aware of the breach
Clock starts when: You have 'reasonable certainty' a breach has occurred, not when you know full details
When notification required: If the breach is likely to result in a risk to people's rights and freedoms
When notification NOT required: If breach is unlikely to result in any risk to individuals - but must still record internally
Individual notification: Required without undue delay if risk to individuals is HIGH
Legislation: UK GDPR Articles 33 and 34

Required notification content (Article 33(3))

Nature of the breach (what happened)
Categories and approximate numbers of individuals affected
Categories and approximate numbers of records affected
Name and contact details of your DPO or other contact point
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate harm

Phased reporting: If full information unavailable within 72 hours, report what you know and provide details later 'without undue further delay'
Internal record-keeping: ALL breaches must be documented (whether notified to ICO or not) for audit purposes
Penalty for notification failure: Up to £8.7 million or 2% of global annual turnover (whichever is higher)

Report a breach to the ICO

How to respond to a data breach

When you discover or suspect a breach, follow these steps immediately. The 72-hour clock starts when you have reasonable certainty that personal data has been compromised - not when you know all the details.

1

Step 1: Contain the breach

Take immediate action to stop the breach and limit damage. This might mean disabling compromised user accounts, isolating affected systems, recovering lost devices, or blocking unauthorised access. Do not wait until you understand everything - act first.
2

Step 2: Assess what happened

Investigate to establish: what personal data was involved, how many individuals are affected, what caused the breach, and what harm could result. Consider whether data was encrypted or otherwise protected. You do not need complete answers to proceed - the ICO expects you to report early and update later.
3

Step 3: Decide if ICO notification is required

Ask: is the breach likely to result in a risk to people's rights and freedoms? If yes, you must notify the ICO within 72 hours. If the breach is unlikely to result in any risk (for example, encrypted data was lost but the encryption key is secure), you do not need to notify - but you must still document the breach internally.
4

Step 4: Notify the ICO (if required)

Use the ICO's online breach reporting tool at ico.org.uk, or call 0303 123 1113 during office hours. You must provide: the nature of the breach, categories and numbers of people affected, your DPO or contact point details, the likely consequences, and the measures you are taking. If you cannot provide all details, report what you know and provide updates later.
5

Step 5: Notify affected individuals (if high risk)

If the breach is likely to result in a HIGH risk to individuals' rights and freedoms, you must notify them directly without undue delay. Use clear, plain language. Tell them what happened, the likely consequences, what you are doing about it, and what they can do to protect themselves.
6

Step 6: Document the breach

Record the breach in your internal breach register, regardless of whether you notified the ICO. Document: the facts of the breach, its effects, the remedial action taken, and your reasoning for whether to notify. The ICO can ask to see this record during an audit.
7

Step 7: Review and improve

After the immediate response, conduct a post-incident review. Identify what went wrong, whether existing controls failed, and what changes will prevent recurrence. Update your security measures, policies, and staff training as needed.

When you must notify the ICO

You must report a breach to the ICO within 72 hours if it is likely to result in a risk to people's rights and freedoms. This includes risks of:

Financial loss or fraud (for example, if bank details were exposed)
Identity theft (for example, if passport numbers or national insurance numbers were accessed)
Discrimination (for example, if health or religious data was disclosed)
Reputational damage (for example, if embarrassing information was leaked)
Physical harm (for example, if home addresses were disclosed to an abuser)
Significant distress or anxiety

When in doubt, notify. The ICO prefers organisations to report breaches that turn out to be less serious than expected, rather than fail to report breaches that cause harm.

When you do not need to notify the ICO

You do not need to report a breach if it is unlikely to result in any risk to individuals' rights and freedoms. Examples include:

A lost device where the data was encrypted with a strong encryption key that was not compromised
An email sent to the wrong internal colleague who immediately deleted it without reading
Accidental deletion of data that was immediately recovered from backup with no exposure
A breach affecting data that was already publicly available

Important: Even if you do not need to notify the ICO, you must still document the breach internally. The ICO can audit your breach records to check you are making appropriate decisions about notification.

Notifying affected individuals

If the breach is likely to result in a high risk to individuals, you must notify them directly - not just the ICO. This is a higher threshold than ICO notification. You must notify individuals when the breach could seriously affect their everyday life, safety, or finances.

What to tell affected individuals

Your notification must be in clear, plain language and include:

A description of what happened (in general terms)
The name and contact details of your Data Protection Officer or another contact point
The likely consequences of the breach
What you are doing to address the breach and mitigate harm
What they can do to protect themselves (for example, changing passwords, monitoring bank statements, being alert to phishing)

When you do not need to notify individuals

You may not need to notify individuals directly if:

You have applied technical measures (such as encryption) that render the data unintelligible to anyone without the key
You have taken subsequent measures that ensure the high risk is no longer likely to materialise
Individual notification would involve disproportionate effort - in which case you must make a public communication or similar measure that informs people equally effectively

The 72-hour rule: what if you cannot investigate in time?

You do not need a complete picture before reporting. If you cannot fully investigate within 72 hours, the ICO expects you to:

Report what you know - Submit an initial report with the information you have
Explain what you are still investigating - Tell the ICO what information is still being gathered
Provide updates without undue delay - Submit further information as your investigation progresses

The ICO actively encourages this "report early, update later" approach. It is better to report on time with partial information than to delay until you have complete details.

If you miss the 72-hour deadline: You must still report the breach and explain why notification was delayed. Document the reasons for the delay carefully.

Penalties for failing to report

Failure to notify a reportable breach to the ICO can result in significant fines. Breach notification failures fall under the standard penalty tier.

UK GDPR maximum fines scale

Two-tier penalty structure under UK GDPR Article 83 and DPA 2018 Section 157.

The ICO can issue administrative fines under UK GDPR Article 83 and DPA 2018 Section 157. There are two tiers of maximum fines depending on the type of infringement.

Higher tier maximum: £17.5 million or 4% of annual worldwide turnover, whichever is HIGHER
Higher tier applies to: Breaches of data protection principles (Article 5), lawful basis requirements (Articles 6, 7, 9), data subject rights (Articles 12-22), unlawful international transfers (Articles 44-49)
Standard tier maximum: £8.7 million or 2% of annual worldwide turnover, whichever is HIGHER
Standard tier applies to: Failure to comply with controller/processor obligations, processing children's data incorrectly, certification failures, breach notification failures

Infringements attracting higher tier fines (£17.5m / 4%)

Breaching data protection principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, accountability)
Processing without valid lawful basis
Failing to obtain valid consent where required
Processing special category data without a valid condition
Failing to respect data subject rights (access, rectification, erasure, portability, objection)
Unlawful transfers of personal data to third countries

Infringements attracting standard tier fines (£8.7m / 2%)

Failure to comply with controller or processor obligations under Chapter IV
Processing children's data incorrectly (Article 8)
Failure to notify data breaches to ICO within 72 hours
Failure to notify individuals of high-risk breaches
Failure to comply with certification requirements

Multiple infringements: For same or linked processing operations, total fine cannot exceed amount for gravest infringement
Unlinked operations: Separate fines for unlinked operations can exceed statutory maximum when summed
ICO approach: Fines should be effective, proportionate, and dissuasive in each individual case
Legislation reference: UK GDPR Article 83, DPA 2018 Sections 155-157

ICO fining guidance

ICO enforcement actions

In practice, the ICO is more likely to take enforcement action if:

You failed to report a serious breach
You significantly delayed notification without good reason
You failed to notify affected individuals when required
You do not have adequate breach detection or response procedures
The same type of breach has happened before and you did not learn lessons

The ICO considers cooperation and prompt notification as mitigating factors when deciding on enforcement action.

Keeping breach records

UK GDPR Article 33(5) requires you to maintain records of all personal data breaches, whether or not you reported them to the ICO. Your breach register should include:

The date and time the breach was discovered
A description of what happened
The categories and approximate number of individuals affected
The categories and approximate number of records affected
The likely consequences of the breach
The measures taken to address and mitigate the breach
Whether the breach was reported to the ICO (and if not, why not)
Whether affected individuals were notified

The ICO can request access to your breach records during an audit or investigation. Good records demonstrate that you are taking data protection seriously and making appropriate decisions about notification.

Preparing before a breach happens

The 72-hour deadline is tight. Preparing in advance will help you respond quickly and meet your obligations.

1

Create a breach response plan

Document who is responsible for breach response, how breaches should be reported internally, and the steps to follow. Make sure key staff know where to find this plan.
2

Set up a breach register

Have a template or system ready to record breaches. Include all the fields required by Article 33(5) so you can capture information quickly.
3

Identify your ICO contact point

Know who will be responsible for liaising with the ICO. This is usually your Data Protection Officer if you have one, or a nominated senior person.
4

Train staff to recognise and report breaches

Employees are often the first to notice a breach. Train them to recognise potential breaches and report them immediately to the right person internally.
5

Keep contact information ready

Have ICO contact details, your DPO contact details, and templates for notifying individuals ready to use. You will not have time to create these during a breach.
6

Test your response

Run a practice scenario annually to check your plan works and staff know what to do. Update the plan based on lessons learned.

Responding to data breaches: legal requirements

Data protection for businesses

Data protection for healthcare providers

Report a cyber incident

Data protection annual compliance checklist

NHS Data Security and Protection Toolkit compliance

How to respond to a data breach

Step 1: Contain the breach

Step 2: Assess what happened

Step 3: Decide if ICO notification is required

Step 4: Notify the ICO (if required)

Step 5: Notify affected individuals (if high risk)

Step 6: Document the breach

Step 7: Review and improve

When you must notify the ICO

When you do not need to notify the ICO

Notifying affected individuals

What to tell affected individuals

When you do not need to notify individuals

The 72-hour rule: what if you cannot investigate in time?

Penalties for failing to report

Keeping breach records

Preparing before a breach happens

Create a breach response plan

Set up a breach register

Identify your ICO contact point

Train staff to recognise and report breaches

Keep contact information ready

Test your response

Related guides in Compliance & Legal

Data protection for businesses

Data protection for healthcare providers

Report a cyber incident

Data protection annual compliance checklist

NHS Data Security and Protection Toolkit compliance

How to respond to a data breach

Step 1: Contain the breach

Step 2: Assess what happened

Step 3: Decide if ICO notification is required

Step 4: Notify the ICO (if required)

Step 5: Notify affected individuals (if high risk)

Step 6: Document the breach

Step 7: Review and improve

When you must notify the ICO

When you do not need to notify the ICO

Notifying affected individuals

What to tell affected individuals

When you do not need to notify individuals

The 72-hour rule: what if you cannot investigate in time?

Penalties for failing to report

Keeping breach records

Preparing before a breach happens

Create a breach response plan

Set up a breach register

Identify your ICO contact point

Train staff to recognise and report breaches

Keep contact information ready

Test your response