GDPR Data Breach Response: Your Legal Obligations
What you must do — and when — if personal data is lost, stolen, or exposed. Plain-English guide to your ICO reporting obligations.
What counts as a data breach?
Under UK GDPR, a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
This is broader than most people realise. It includes:
- A ransomware attack that encrypts customer records
- An employee emailing a spreadsheet of client data to the wrong person
- A laptop containing personal data being stolen or lost
- An attacker accessing your email account and reading client correspondence
- Accidentally deleting customer records without a backup
- A supplier who handles your data suffering their own breach
Important: not all breaches need to be reported
You must assess the risk to individuals. A breach that is unlikely to result in any risk to people's rights and freedoms does not need to be reported. But you must document it internally regardless.
The 72-hour rule
If a breach is likely to result in a risk to individuals, you must report it to the ICO within 72 hours of becoming aware of it.
Key points about this deadline:
- The clock starts when you — or anyone in your organisation — first becomes aware that a breach has occurred
- You don't need to have full information before reporting — report what you know and update the ICO as you learn more
- 72 hours includes weekends and bank holidays
- If you miss the deadline, explain why when you do report — the ICO takes timing into account
How to report to the ICO
Report online at ico.org.uk/report-a-breach. You'll need to provide:
- A description of what happened
- The categories and approximate number of people affected
- The categories and approximate number of records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
If you can't provide all of this within 72 hours, provide what you can and follow up with additional information as soon as possible.
When do you need to tell affected individuals?
If a breach is likely to result in a high risk to individuals' rights and freedoms, you must also notify the affected individuals directly — without undue delay.
High risk situations include:
- Financial data being accessed or stolen
- Health or medical information being exposed
- Data that could be used for identity theft or fraud
- Sensitive personal information being made public
Your internal documentation obligations
Regardless of whether you need to report to the ICO, you must keep an internal record of every personal data breach — including those you decide don't meet the reporting threshold.
Your breach log should include:
- The date the breach occurred and when you became aware
- A description of what happened
- The data involved and number of people affected
- Your assessment of the risk to individuals
- Whether you reported to the ICO and why or why not
- The steps taken to contain and remediate the breach
Prevention is better than response
The best GDPR breach response is the one you never have to make. Article 32 of UK GDPR requires businesses to implement appropriate technical measures to protect personal data — and the ICO points to Cyber Essentials as the baseline standard for what that means in practice.
Our 10-minute security assessment covers all five Cyber Essentials control areas and produces a documented report you can use as evidence of your Article 32 compliance work.
Find out where your business stands
Complete our 10-minute plain-English assessment and get a professional security report aligned to Cyber Essentials.
Start Your Free Assessment →£49 for the full report · No account required