GDPR Data Breach Reporting: When and How to Notify the ICO Within 72 Hours

Discover when and how your business must report a data breach to the ICO under the UK GDPR. Understand the criteria for notification, the vital 72-hour reporting window, what your notification must include, and steps you can take to stay compliant and protect your business from costly fines and reputational damage.

Why Is Timely Data Breach Reporting So Important?

No business owner likes the thought of a data breach – but in today’s digital world, they can happen to even the most careful organisations. Whether it’s a lost laptop, a phishing attack, or an accidental email sent to the wrong person, these incidents can expose personal data and pose a real risk to the people whose data you hold.

Under the UK GDPR and the Data Protection Act 2018, businesses have strict legal duties to keep personal data safe and to promptly report notifiable breaches to the Information Commissioner’s Office (ICO). The clock starts ticking as soon as you become aware of a serious breach – and you’ve only 72 hours to make your report.

Failing to meet these obligations can lead to hefty fines and damage to your reputation. In this guide, we’ll break down what counts as a notifiable breach, how to report it, what the ICO expects from your notification, and what happens next.

What Counts as a “Notifiable” Data Breach Under UK GDPR?

It’s not always obvious whether a particular incident means you need to report a GDPR breach to the ICO. Not every data incident triggers the duty to notify – so how do you decide?

The Two-Part Test: Should You Notify?

Ask yourself these two key questions:

• Does the incident involve personal data? – This means any information that can identify a living person, either on its own or together with other info you hold. If no personal data is involved, no GDPR notification is needed.
• Does the breach pose a risk to individuals’ rights and freedoms? – In practical terms, could the breach result in financial loss, identity theft, discrimination, loss of confidentiality or significant disadvantage to individuals? If yes, you must notify the ICO as soon as possible.

A “personal data breach” under GDPR means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This covers both deliberate attacks (like hacking) and accidents (like misdirected emails or lost paperwork).

If you’re unsure, the Sprintlaw guide to GDPR has more info on assessing your data protection duties.

Who Is Responsible for Notifying the ICO of a Personal Data Breach?

If your business is a data controller (the organisation that decides how and why personal data is processed), it’s your direct legal responsibility to report any notifiable breach to the ICO. This applies to sole traders, partnerships, limited companies, charities and other organisations that handle personal data.

If you’re a data processor (you process personal data on behalf of another business or client), you must promptly alert the data controller, who then decides whether to notify the ICO.

It’s vital to have clear internal processes in place for recognising and escalating breaches so you don’t miss a reporting deadline. Many larger organisations appoint a Data Protection Officer (DPO), but even the smallest businesses must have someone responsible for GDPR compliance.

If you’re not sure how your business is classified, read our guide on data roles and responsibilities.

How Long Do You Have to Report a Data Breach? The 72-Hour Rule Explained

If a breach is notifiable under the UK GDPR, you must report it to the ICO within 72 hours of becoming aware of it. The “awareness” point is when you have enough evidence to believe a security incident has occurred and that it meets the reporting threshold.

If you miss this deadline, you must explain the reasons for the delay in your notification. Late reports are a technical breach of GDPR and can lead to further penalties.

Here’s how the 72-hour reporting requirement works in practice:

• Start counting from the moment you become aware – not when the breach actually occurred
• Count the hours, not working days: a weekend or public holiday does not pause the deadline
• If your initial investigation isn’t finished, submit a notification with the info you have, then follow up with more details as they become available
• Delays must be justified and documented in your report

Any breach of security that meets the reporting criteria should be reported within 72 hours – don’t wait until all details are available.

For practical advice on creating a data breach response plan to help you stay on top of the deadline, check out our step-by-step guide.

What Details Must Be Included in Your ICO Breach Notification?

When reporting a personal data breach to the ICO, you’ll need to provide as much of the following information as you can:

• A description of the nature of the breach, including whether it was accidental or the result of a deliberate act (such as hacking or theft)
• The categories and approximate number of individuals affected (for example, customers, staff, or suppliers)
• The categories and approximate number of personal data records involved
• The name and contact details of your Data Protection Officer (if you have one) or other relevant contact point for follow-up
• A description of the likely consequences of the breach for individuals (think: risk of identity fraud, financial loss, reputational harm)
• A description of the measures you have taken, or propose to take, to deal with the breach – including efforts to mitigate any potential adverse effects

If you are missing some details at the time of initial notification, don’t panic – submit the report anyway and follow up as soon as you have more information.

The ICO provides an online breach reporting form, but you can also report by phone in urgent situations.

For more tips on putting together your notification, see our full article on data protection compliance.

What Happens After You Report a Data Breach to the ICO?

Once you’ve reported the breach, the ICO may:

• Ask for further details or clarification about the breach and your response
• Assess the seriousness of the breach
• Investigate whether your business had appropriate processes in place beforehand
• Evaluate your efforts to mitigate harm to affected people
• Consider whether the breach was preventable and whether your notification was timely and complete

The ICO may take enforcement action if it finds compliance failures – such as not having a proper privacy policy, delays in notification, or inadequate security measures – so it’s crucial to have your legal house in order.

Keep a record of all breaches (even minor ones) and your decisions around notification. Even if you don’t report a breach, the ICO may later ask for evidence of your assessment and response.

Should Individuals Be Notified of a Data Breach?

In addition to your duty to report a breach to the ICO, you may also have to notify affected individuals directly and without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

This means you may need to contact affected people and explain:

• What happened
• What information was affected
• What the risks are
• What you are doing to address the situation
• What steps they should take to protect themselves

There is no set time limit, but the ICO expects you to do this as soon as you can. This helps individuals take steps to protect themselves from potential harm.

Tips for Minimising the Risk of a Notifiable Data Breach

While you can’t always prevent every incident, strong data protection processes can reduce the likelihood and seriousness of breaches – and ensure you respond correctly if one happens.

• Train your staff – Make sure everyone knows how to spot, escalate, and respond to data breaches
• Document internal procedures – Have a clear data privacy workflow and reporting process in place
• Keep software and systems updated – Basic cyber security measures help prevent accidental and malicious breaches
• Review contracts with suppliers and partners – Make sure everyone in your supply chain understands and complies with GDPR reporting duties
• Regularly review your privacy policies and response plans – This keeps your processes up to date as technology and risks change (see our Privacy Policy guide)
• Maintain detailed records – Document every breach, notification decision, and remedial step, even if the breach does not meet the ICO threshold

If you need extra guidance on how to set up these processes or review your contracts, Sprintlaw can assist with data protection packages tailored for UK businesses.

What Are the Consequences of Failing to Report a Notifiable Data Breach?

Notifying the ICO is not just a box-ticking exercise – failing to act quickly and transparently when required can bring serious consequences, including:

• Fines – The ICO has the power to impose significant financial penalties for non-compliance. Failing to report a notifiable breach (or reporting late) is itself a breach of UK GDPR.
• Reputational damage – Customers, suppliers, and stakeholders expect organisations to take privacy seriously. Mishandling a breach can damage trust and affect your business relationships.
• Enforcement action – The ICO may order you to change your practices, put restrictions on how you use data, or take other actions to protect individuals’ rights.

By acting promptly, documenting your response, and being upfront with the ICO and affected people, you can reduce the fallout from a breach and show that your business takes its legal obligations seriously.

Legal Support for GDPR Breach Reporting – How Sprintlaw Can Help

Dealing with a data breach is stressful enough – you shouldn’t have to figure out GDPR reporting requirements on your own. At Sprintlaw, our team has extensive experience helping UK businesses navigate GDPR compliance, incident response, and breach notification obligations.

• We can help you assess whether you need to report an incident
• Draft or review your ICO breach notification
• Advise on communications with affected individuals
• Review your internal breach response processes and privacy policies

Don’t wait until after a breach to get advice – addressing your legal foundations now will save you time and trouble if the worst happens. Find out more about our support for Data Breach Response Plans and Data Protection Consultations.

Key Takeaways: Reporting a GDPR Breach to the ICO

• Apply the two-part test: breaches involving personal data and posing a risk to rights/freedoms must be reported to the ICO.
• Report notifiable breaches within 72 hours of becoming aware, even if all details are not yet available.
• Your notification should include what happened, who’s affected, consequences, and how you’re responding.
• The ICO may investigate your breach and your overall approach to data protection.
• Strong internal processes and up-to-date contracts can minimise your risk and ensure you’re ready to act fast.
• Failing to notify the ICO can lead to fines and reputational damage – prompt action protects your business and your customers.
• It’s always smart to get professional legal advice if you’re not sure what to do – both before and after a breach occurs.

If you have any questions about GDPR breach reporting or need support putting the right processes in place, you can reach our team at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.