Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If your business holds customer details, employee records or payment information, a data breach isn’t just stressful - it’s a legal and reputational risk you need to manage fast.
The good news? With a clear plan and an understanding of UK data breach reporting rules, you can respond confidently, reduce harm and meet your legal obligations.
In this guide, we break down what counts as a data breach under UK law, when you must report to the ICO, when to notify individuals, and the practical steps to follow. We’ll also cover the documents and processes that help you stay protected from day one.
What Is A Personal Data Breach Under UK Law?
Under the UK GDPR and the Data Protection Act 2018, a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. It’s broader than just “hacking” - it includes mistakes like emailing customer data to the wrong person or losing an unencrypted laptop.
Common examples for small businesses include:
- Sending a spreadsheet of customer emails and addresses to an incorrect recipient
- Ransomware encrypting your CRM or booking system
- Staff sharing login credentials that are then misused
- Disclosing health information to the wrong staff member
- Publishing an online document that accidentally contains personal data
A quick note on scope: UK GDPR applies to any organisation that determines the purpose and means of processing personal data (a “controller”). If you’re processing data on behalf of someone else as a “processor”, you still have strict duties - including a duty to notify the controller without undue delay if you suffer a breach.
Two principles drive your response:
- Security of processing - take appropriate technical and organisational measures (think encryption, access controls, staff training, backups).
- Accountability - be able to demonstrate how you comply (written policies, training records, risk assessments and breach logs).
Do You Need To Report The Breach To The ICO?
Not every breach is reportable, but many are. You must report a personal data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it if it is likely to result in a risk to the rights and freedoms of individuals.
In practice, ask yourself: could the breach lead to harm such as identity theft, financial loss, discrimination, reputational damage, loss of confidentiality (especially for children or special category data), or other significant effects on individuals?
Three quick rules to keep in mind:
- 72-hour clock - it starts when you become aware of the breach, not when it occurred. If you miss the deadline, you still need to report and justify the delay.
- Risk threshold - if there’s likely risk to people, report to the ICO. If there’s no likely risk, you don’t need to report, but you must still document it internally.
- Processors - if you’re a processor, you must notify the controller without undue delay so they can decide on ICO reporting and notification to individuals.
Don’t forget sector-specific rules. For example, electronic communications services may also have additional duties under PECR (Privacy and Electronic Communications Regulations). If you’re unsure about the risk threshold, document your assessment and seek advice - the accountability principle expects you to show your working.
Who Must Be Notified, And When?
There are two potential notifications in a breach of data protection in the UK: the ICO and the affected individuals. These are separate decisions with different thresholds.
1) ICO Notification (Within 72 Hours)
Report if there’s likely risk to individuals. If you don’t yet have all the facts, you can submit an initial report and follow up as more information becomes available.
2) Notification To Individuals (Without Undue Delay)
You must inform affected individuals “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than the ICO report. If data was strongly encrypted and the key is safe, you may decide individuals don’t need to be notified. If the risk is high - for example, unencrypted financial data or health information was exposed - you should contact people promptly and explain what happened and what they can do.
Your message to individuals should be clear, in plain English, and include practical steps to protect themselves (e.g. password resets, enabling MFA, credit monitoring). Avoid overly technical or defensive language - the goal is trust and transparency.
Step-By-Step Data Breach Reporting Process For SMEs
When something goes wrong, time and structure matter. Here’s a practical flow you can adapt for your business.
1) Contain And Secure
- Isolate affected systems and revoke compromised credentials immediately.
- Switch to backups if needed; disconnect infected devices from the network.
- Preserve evidence (logs, emails, screenshots) for your investigation and any ICO questions.
2) Assemble Your Response Team
- Nominate a lead decision-maker (often your DPO or senior manager).
- Loop in IT support, legal, communications and the relevant business owner.
- If you work with external suppliers or processors, contact them for input and logs.
3) Assess The Breach
- What happened? When? How was it discovered?
- What types of personal data were involved (e.g. names, addresses, financial, health)?
- How many individuals are affected and in which locations?
- What are the potential consequences for those individuals?
- What security measures were in place (e.g. encryption, access controls)?
4) Decide On Notifications
- ICO: Is there likely risk? If yes, prepare to report within 72 hours.
- Individuals: Is there likely high risk? If yes, prepare clear communications and support.
- Partners: Do processors, insurers or key customers need to be informed under contract?
5) Prepare And Submit Your ICO Report
- Provide the nature of the breach, categories and approximate number of individuals and records affected.
- Describe likely consequences and measures taken or proposed to address the breach.
- Include your contact point/DPO details for follow up.
- If information is incomplete, submit what you have and plan to provide updates.
6) Notify Individuals (If Required)
- Use plain, empathetic language and explain the incident.
- Set out what data was involved and the steps you’ve already taken.
- Provide practical advice (password resets, phishing awareness, credit checks).
- Offer a direct contact for queries.
7) Keep A Breach Log And Review
- Record all breaches (whether reported or not), your risk assessment and decisions.
- Review what went wrong and update policies, controls and training.
- Consider whether further measures are needed (e.g. MFA, encryption at rest, supplier changes).
Having an approved Data Breach Response Plan makes this process much smoother. It sets roles, timelines and template messages so you’re not drafting from scratch under pressure.
What To Include In Your Report And Your Records
Your ICO report and internal records should demonstrate that you’ve handled the breach responsibly and in line with UK GDPR. Aim to capture:
- Timeline - when it occurred, when discovered, containment steps, notification dates
- Scope - categories of data, number of records, number of individuals affected
- Risk analysis - potential harm to individuals and how you assessed “risk” vs “high risk”
- Security measures - what was in place before and what you’ve changed since
- Communications - content of notices sent to the ICO and individuals
- Root cause - technical or human factors that contributed
- Lessons learned - process, policy and technical improvements
Keep these records as part of your accountability documentation alongside your Privacy Policy, DPIAs (where relevant), training logs and breach register. Good documentation helps if the ICO asks questions - and it also strengthens your compliance culture.
Don’t overlook other privacy tasks that often surface after a breach. For instance, individuals may exercise their rights (like subject access) in larger numbers. Make sure your team knows the deadlines for responding to a subject access request and how to handle identity verification securely.
Prevention, Contracts And Policies That Reduce Breach Risk
Preventing breaches (and limiting their impact) often comes down to your everyday hygiene - the technical controls you use and the legal foundations you put in place with staff and suppliers.
Technical And Organisational Measures
- Access control and MFA - restrict data to those who need it and require strong authentication.
- Encryption and backups - encrypt data in transit and at rest; test your restores regularly.
- Patch management - keep software up to date to close known vulnerabilities.
- Staff training and phishing drills - most incidents start with human error.
- Data minimisation - collect only what you need and set retention limits.
- Cookie and tracking compliance - ensure your website uses cookie banners that comply with PECR and UK GDPR transparency rules.
Contracts With Vendors And Processors
If you use cloud tools, marketing platforms, payroll services or IT providers, you’re sharing personal data with processors. You’re responsible for choosing providers with appropriate security and ensuring the right contractual protections are in place.
- Use a robust Data Processing Agreement with all processors covering security, breach notification, audits and sub-processing.
- Where you share data with other controllers, put a clear Data Sharing Agreement in place that sets roles and responsibilities.
- Map international transfers and document transfer tools (e.g. Addendum to the EU SCCs, IDTA) where relevant.
Core Privacy Documentation
- A clear, tailored Privacy Policy explaining what you collect, why, and individuals’ rights.
- Incident management playbook - your Data Breach Response Plan with roles, templates and timelines.
- Training and awareness program - short, regular sessions with real examples and reporting pathways.
- For a one-stop setup, consider a practical GDPR Package to cover your key compliance needs.
It can be overwhelming to know which documents you actually need - and which templates online you should avoid. Getting these drafted properly for your business will save you time in an incident and reduce the chance of fines or disputes with suppliers.
Common Mistakes In Data Breach Reporting (And How To Avoid Them)
- Waiting too long to investigate - the 72-hour ICO window is short. Nominate a lead and start the assessment immediately.
- Assuming “no harm” - even small errors can create risk depending on context (e.g. vulnerable customers, sensitive data). Document your reasoning.
- Not notifying individuals when required - if the risk is high, prompt and clear communication is a legal duty and a trust-builder.
- Underestimating supplier risk - a breach at your processor is your problem with your customers. Use a strong Data Processing Agreement and due diligence.
- Poor records - if it isn’t logged, it didn’t happen. Keep your breach log, decisions and remediation steps tidy and accessible.
- One-off training - people forget. Short refreshers and phishing simulations keep good habits front of mind.
Key Takeaways
- A “data breach” under UK GDPR includes any incident leading to accidental or unlawful loss, disclosure, alteration or access to personal data - not just cyber-attacks.
- You must report to the ICO within 72 hours if the breach is likely to result in a risk to individuals. Notify affected individuals without undue delay if there’s likely “high risk”.
- Follow a clear, documented process: contain, investigate, assess risk, decide on notifications, report, notify individuals (if required), and log everything.
- Essential paperwork strengthens compliance and speeds your response: a tailored Privacy Policy, a Data Breach Response Plan, and strong processor contracts like a Data Processing Agreement.
- Prevention matters: access controls, encryption, backups, staff training and compliant web tracking practices reduce breach likelihood and impact.
- Good documentation and timely decisions demonstrate accountability and reduce your legal and reputational exposure.
If you’d like help preparing a breach-ready privacy framework - from your Privacy Policy and processor contracts to your incident playbook - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
