Data Breach Notification In The UK: What To Do And How To Prepare

Data breaches aren’t just a “big tech” problem - many small businesses hold personal data about customers, staff and suppliers, which makes you a target too.

If something goes wrong (a lost laptop, a misdirected email, a hacked inbox), you may have a legal duty to notify the UK regulator and the people affected. The good news? With a clear plan and the right documents in place, data breach notification doesn’t have to be scary.

This guide explains when you must notify, what to say, deadlines, and how to build a simple, robust response process under UK law.

What Counts As A Personal Data Breach Under UK Law?

Under the UK GDPR and the Data Protection Act 2018, a “personal data breach” is any security incident that leads to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

That’s broad on purpose. It covers cyber attacks, but also everyday mistakes like sending information to the wrong person.

Common Examples For SMEs

• An employee emails a spreadsheet of customer names and addresses to the wrong client.
• A staff member’s laptop with unencrypted HR files is stolen from a car.
• Your inbox is compromised and invoices with bank details are accessed.
• A third-party service provider publishes an internal file that contains personal data.
• A misconfigured online form logs responses in a public folder.

Not all breaches need to be reported - but all must be assessed, documented and, where risk thresholds are met, notified within strict deadlines.

Do I Have To Notify The ICO? The 72-Hour Rule Explained

You must notify the Information Commissioner’s Office (ICO) of a personal data breach if it is likely to result in a risk to the rights and freedoms of individuals - for example, if the breach could cause harm like identity theft, financial loss, discrimination, distress, reputational damage or loss of confidentiality.

If notification is required, you must report it to the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. If you miss the 72-hour window, you’ll need to explain the reason for the delay in your report.

When You Don’t Need To Notify The ICO

If, after assessment, the breach is unlikely to pose a risk to people’s rights and freedoms (for instance, the data was adequately encrypted and remains unintelligible), you don’t need to notify the ICO. However, you must still document the incident and your risk assessment.

Do I Need To Tell The Individuals Affected?

If the breach is likely to result in a high risk to people’s rights and freedoms, you must also communicate the breach to the affected individuals without undue delay. This is separate from the ICO notification and focuses on enabling people to protect themselves (e.g., changing passwords, monitoring accounts).

Think of it like this:

• Risk likely? Notify the ICO.
• High risk likely? Notify both the ICO and the affected people.

What To Include In A Data Breach Notification

When notifying the ICO, include as much of the following as you can (you can submit additional details later if you’re still investigating):

• A description of the nature of the breach - what happened and how it was discovered.
• The categories and approximate number of individuals and records affected.
• Likely consequences of the breach (e.g., risk of fraud, identity theft, distress).
• Measures taken or proposed to address the breach and mitigate harm (containment steps, fixes, staff training).
• Contact details for your data protection lead or point of contact.

When notifying individuals, keep it clear and practical. Explain what happened, what data was involved, what you’ve done, what they should do, and how they can contact you. Avoid technical jargon, downplaying the issue, or speculative statements you can’t support.

Step-By-Step: How To Handle A Data Breach In Your Business

Having a repeatable process will help you move fast, stay compliant and reduce harm. A simple, well-drafted Data Breach Response Plan makes this much easier.

1) Contain The Incident

• Isolate affected systems or accounts and revoke access where needed.
• Recover data where possible (e.g., recalling emails, removing public links).
• Preserve evidence for investigation and forensic analysis.

2) Assemble Your Response Team

• Nominate a lead decision-maker and involve IT, management and communications.
• Contact relevant suppliers if their systems are involved.

3) Assess The Risk Quickly

• What personal data was affected? (Names, contact details, IDs, financial info?)
• How sensitive is it, and who accessed it? (Authorised staff vs unknown third party)
• What’s the likelihood and severity of harm to individuals?

Document your reasoning - this underpins your decision to notify or not.

4) Decide Whether To Notify (ICO And/Or Individuals)

• Apply the “risk to rights and freedoms” test to the facts.
• If needed, notify the ICO within 72 hours and individuals without undue delay.
• If not needed, record your justification in your breach log.

5) Investigate And Remediate

• Fix underlying weaknesses (patches, access controls, training).
• Update policies and processes (including your Privacy Policy and security procedures).
• Brief staff on lessons learned to prevent recurrence.

6) Keep Records

• Maintain a breach register with incident details, assessments, outcomes and decisions.
• Retain copies of notifications and your remediation plan.

Controller Vs Processor: Who Must Notify Whom?

If you’re the “controller” (you decide the purpose and means of processing), you’re responsible for assessing breaches and notifying the ICO and individuals where required.

If you’re a “processor” (you process personal data on behalf of clients), you must notify the controller without undue delay after becoming aware of a breach. The controller then decides whether regulators and individuals should be informed. Your contract should set out these obligations - that’s where a tailored Data Processing Agreement is essential.

Where two independent businesses share data, a clear Data Sharing Agreement can help map roles and responsibilities, including who leads if there’s a breach.

How To Reduce The Chance (And Impact) Of A Breach

You can’t eliminate every risk - but you can make breaches less likely and less harmful. Focus on simple, high-impact steps first.

Start With The Basics

• Map what personal data you hold, where it lives, and who can access it.
• Use multi-factor authentication and strong access controls for email, cloud and payroll.
• Encrypt portable devices and sensitive datasets.
• Train staff on phishing, safe sharing and incident reporting.
• Use reputable tools and configure them properly - especially cloud storage and document sharing.

If your team relies on cloud tools, it’s worth understanding the practical data protection issues around services like Google Drive and GDPR compliance.

Get Your Paperwork In Order

• Put a clear, tailored Privacy Policy on your website - it sets expectations and builds trust.
• Ensure your cookie tools are configured for consent - this includes using cookie banners that comply with PECR and UK GDPR.
• Have robust contracts in place with suppliers that touch personal data, including a Data Processing Agreement with processors.
• Create and test a lightweight Data Breach Response Plan so your team knows exactly what to do on day one of an incident.

Plan For Data Rights Requests

Breaches often trigger more data rights requests (e.g., “what data do you hold about me?”). Make sure you can recognise and respond to a Subject Access Request within the legal timeline. This quick primer on SAR deadlines is useful, and knowing when limited SAR exemptions might apply can help your team manage workload appropriately.

Budget For Compliance

Most UK businesses must pay a small annual ICO data protection fee unless exempt. Understanding the rules around ICO fee exemptions will help you stay on top of this and avoid penalties.

Key Timelines And Pitfalls To Avoid

Timelines That Matter

• Notify the ICO: without undue delay and within 72 hours of becoming aware, if risk is likely.
• Notify affected individuals: without undue delay if high risk is likely.
• Record-keeping: document every incident and decision, even if you don’t notify.

Common Pitfalls

• Waiting for “complete certainty” before notifying. You can submit an initial report and follow up as facts are confirmed.
• Underestimating risk because the dataset “seems small.” Sensitivity matters more than size.
• Not involving suppliers promptly, or assuming they’ll notify the ICO for you. Controllers retain legal duties.
• Incomplete notifications that skip practical advice for individuals - always include clear steps they can take.
• Poor internal communication - if your team doesn’t know how to escalate an incident, you’ll lose precious time.

FAQs: Practical Questions We Hear From Small Businesses

What If We’re Not Sure Whether The Threshold Is Met?

Make a quick, reasoned assessment and document it. If in doubt between “borderline risk” and “notify,” many businesses choose to notify the ICO to err on the side of transparency. You can mark information as provisional if your investigation is ongoing.

We Use A Marketing Platform - Who Notifies If It’s Hacked?

If the platform is processing your customer data as a processor, they must inform you without undue delay and provide details. You, as controller, decide whether to notify the ICO and individuals. Check your Data Processing Agreement - it should set out timelines and cooperation duties.

Does Encryption Mean We Never Have To Notify?

Encryption reduces risk, which may mean notification isn’t required if the data remains unreadable. But it’s not automatic - you still need to assess the facts (for example, were encryption keys compromised?).

What About Non-Personal Data Or Fully Anonymised Data?

UK GDPR applies to personal data. If you truly anonymised the dataset (not merely pseudonymised), it falls outside UK GDPR. However, true anonymisation is difficult - if data can be re-identified, you should treat it as personal data when assessing risk.

Do We Need A Data Protection Officer (DPO)?

Only certain organisations are required to appoint a DPO (for example, those conducting large-scale systematic monitoring or processing special category data on a large scale). Many SMEs instead appoint a data protection lead to coordinate incidents, training and compliance.

Do Cookie Incidents Count As Breaches?

Misconfigured analytics or advertising cookies can lead to unlawful tracking or unauthorised disclosure of personal data to third parties. If personal data is involved and there’s a risk to individuals, treat it as a potential breach, fix the configuration, and consider your notification duties. Strong consent tooling and compliant cookie banners reduce this risk substantially.

How To Get Ready Today (A Mini Checklist)

• Nominate a data protection lead and write a one-page escalation procedure.
• Deploy multi-factor authentication on email, CRM and payroll immediately.
• List your critical vendors and check contracts include a robust Data Processing Agreement.
• Publish a clear, accurate Privacy Policy and fix obvious cookie consent gaps.
• Prepare a concise Data Breach Response Plan and a simple internal incident log.
• Run a 30-minute team briefing on phishing, safe sharing and reporting near-misses.

If that list feels like a lot, don’t stress - prioritise the first three items and build from there. Getting your legal and technical basics in place will protect you from day one and make any future incident much easier to manage.

Key Takeaways

• Under UK GDPR, you must notify the ICO within 72 hours if a personal data breach is likely to risk individuals’ rights and freedoms - and notify affected people without undue delay if high risk is likely.
• Not every incident requires notification, but every incident requires prompt assessment and a written record of your decision and rationale.
• Clarity on roles matters: controllers decide on notification; processors must alert controllers without undue delay. Put this in a proper Data Processing Agreement.
• Prepare now with a Data Breach Response Plan, a tailored Privacy Policy and compliant cookie tools to reduce risk and stress on the day.
• Expect follow-on rights requests after a breach - stay on top of SAR timelines and know when limited exemptions apply.
• Budget for compliance and avoid penalties by understanding ICO fee exemptions and when the data protection fee applies.

If you’d like help setting up your response plan, reviewing your contracts or assessing a live incident, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.