How Long Do You Have To Report A Data Breach In The UK?

When a data breach happens, the clock starts ticking. As a UK business, you have strict legal deadlines for reporting certain incidents - and missing them can multiply the damage.

The good news? With a clear plan, you can hit the timelines, reduce risk and reassure customers and regulators that you’re on top of it.

In this guide, we’ll explain exactly how long to report a data breach under UK law, when you must tell the Information Commissioner’s Office (ICO), when you need to notify affected individuals, and how to work the 72-hour rule in real life.

What Counts As A Personal Data Breach?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, a “personal data breach” is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Personal data is any information that can identify a person (directly or indirectly), such as names, emails, addresses, phone numbers, customer IDs, IP addresses, HR files, payroll data, and even CCTV footage in some cases.

Common small-business examples include:

• Sending an invoice with customer details to the wrong email address
• Losing an unencrypted laptop or phone with client files on it
• Ransomware encrypting your customer database
• Staff accidentally changing data in a live system and corrupting records
• A web form exposing sign-ups publicly due to a misconfiguration

Not every incident must be reported to the ICO - but you must assess every incident promptly and keep an internal record of all breaches (reportable or not). Having a clear Data Breach Response Plan helps you triage quickly and consistently.

How Long To Report A Data Breach To The ICO Under UK GDPR

If a personal data breach is likely to result in a risk to people’s rights and freedoms (for example, risk of identity theft, financial loss, discrimination, distress or other harm), you must notify the ICO “without undue delay” and, where feasible, within 72 hours of becoming aware of the breach.

Key points for UK businesses:

• 72-hour deadline: The 72 hours start when you become aware that a personal data breach has occurred - not when you finish your investigation. If you can’t meet the 72 hours, you must notify as soon as possible and include your reasons for the delay.
• “Likely risk” threshold: If the breach is unlikely to result in risk to individuals, you don’t need to notify the ICO - but you still need to document the incident internally and be able to justify your decision.
• Phased reporting is fine: If you’re still investigating, you can submit an initial notification within 72 hours with the information you have and follow up with details as they become available.
• Content of the report: Explain what happened, the categories and approximate number of individuals and records affected, likely consequences, measures taken or planned, and contact details of your data protection lead.

Sector-specific rules can apply. For instance, providers of public electronic communications services have stricter timelines under the Privacy and Electronic Communications Regulations (PECR) and may need to notify within 24 hours. If you operate in a regulated sector (communications, health, finance, critical infrastructure), check whether other incident reporting regimes also apply alongside UK GDPR.

Do You Need To Notify Individuals? Timing And Thresholds

In addition to notifying the ICO, you may need to tell the individuals affected.

You must notify individuals “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms. High risk means the harm is more likely and/or more serious - think identity theft, fraud, or exposure of sensitive categories of data (such as financial details, health information or login credentials).

Practical guidance for small businesses:

• Act promptly: Once you identify a likely high risk, start preparing clear, plain-English communications. Don’t wait for a perfect picture if delay could cause further harm.
• What to include: Describe the nature of the breach, what data was involved, potential consequences, what you’ve done to address it, and simple steps people can take to protect themselves (e.g. password resets, fraud alerts).
• When you may not need to notify individuals: If you’ve implemented measures (like strong encryption) that render the data unintelligible, or you’ve taken steps that eliminate the high risk, direct notification may not be required. In some cases, a public communication may be appropriate where individual contact is disproportionate.

Even if you don’t need to notify individuals, you still need to keep full records internally. The ICO can ask to see your breach log and risk assessment - this is where a well-documented process really pays off.

Working The 72-Hour Clock: Processors, Weekends And Late Reports

The 72-hour window can feel tight. Here’s how to calculate it in tricky scenarios.

When Are You “Aware” Of A Breach?

You’re “aware” when you have a reasonable degree of certainty that a personal data breach has occurred. That might be when your IT provider confirms a misconfiguration exposed data, your staff report an email with personal data sent to the wrong recipient, or your security tools detect exfiltration of records.

If You’re A Processor

If you process personal data for another business (the controller), your duty is to notify the controller “without undue delay” after becoming aware of a breach. Your contract should require prompt notice, and you should have clear contact points to escalate urgently. The controller then decides whether to notify the ICO and individuals within their 72-hour window.

Make sure your contracts include a robust Data Processing Agreement so breach notification responsibilities, timelines and cooperation duties are crystal clear.

Weekends, Bank Holidays And After-Hours

The clock runs continuously - weekends and bank holidays don’t stop it. If you become aware of a breach on a Friday evening, you still need to aim to notify the ICO by Monday evening at the latest. If your internal processes can’t operate outside business hours, you’ll need to adjust them (for example, on-call contacts and escalation procedures) so you can meet the timeline.

Late Notifications

If you miss the 72-hour window, notify as soon as possible and explain the reasons for the delay. The ICO understands investigations take time, but they’ll expect to see that you acted promptly, assessed risk quickly and escalated appropriately. The worse outcome is silence - not a good look if customers are already raising concerns online.

A Simple Breach Response Plan For Small Businesses

When you’re juggling customers, suppliers and systems, it helps to have a simple, repeatable playbook. Here’s a practical approach you can adapt to your business size and risk profile.

1) Contain And Secure

• Stop the leak: revoke access, isolate affected systems, roll back misconfigurations, change credentials, disable compromised accounts.
• Preserve evidence: keep logs, note times, save emails - you’ll need this to understand what happened and demonstrate accountability.

2) Triage The Risk

• What personal data is involved? Identify categories (names, contact details, IDs, financial data, health, login details) and whether it was encrypted.
• Who is affected? Customers, staff, contractors - and how many, approximately?
• What is the likely impact? Identity theft, financial loss, discrimination, distress, reputational harm?
• Is it likely there’s a risk (ICO notification) or a high risk (individual notification)? Document your reasoning.

3) Decide On Notification

• ICO within 72 hours if risk is likely. If you don’t meet the threshold, document your decision and keep your breach log updated.
• Individuals without undue delay if high risk. Draft clear messages with practical steps for recipients, and prepare your customer support team for questions.

4) Communicate Clearly

• Use plain English, avoid jargon and be honest about what you know and what you’re doing next.
• Offer simple protective actions (password resets, MFA enablement, contacting banks or credit reference agencies).
• Provide a contact point for questions and complaints, and be ready for Subject Access Request deadlines if people ask for copies of their data or how it’s been used.

5) Fix, Learn And Document

• Address root causes: patch systems, retrain staff, tighten access controls, improve supplier oversight.
• Update your internal breach register, including facts, effects and remedial action.
• Review your Data Breach Response Plan so the next incident (if it happens) is handled even faster.

Prevention And Documentation: Contracts, Policies And Training

Staying compliant isn’t just about responding well - it’s also about reducing the chance of a breach and proving you acted responsibly. These practical steps make a real difference for SMEs.

Have The Right Policies And Notices

• A clear, accurate Privacy Policy shows customers how you collect and use personal data and helps align your teams on what’s permitted.
• If you use cookies or similar tracking, publish a transparent Cookie Policy and ensure your consent mechanism reflects your actual tracking setup.
• Bundle your core documents, procedures and training into a practical framework with a Data Protection Pack to keep everything consistent as you grow.

Get Contracts With Your Vendors Right

Most small businesses rely on cloud tools, MSPs and SaaS providers. If they process personal data for you, UK GDPR requires a written contract with mandatory clauses, typically delivered as a Data Processing Agreement. This should cover:

• Scope of processing and data security standards
• Breach notification - “without undue delay,” plus contact points and cooperation duties
• Sub-processor approvals and audit rights
• Assistance with data subject rights and deletion at end of contract

Train Your Team And Test Your Plan

Human error is still a leading cause of breaches. Short, regular training on phishing, secure sharing, strong passwords and escalation makes a big dent in risk. Run table-top exercises for your incident team so everyone knows how to meet the 72-hour deadline if something goes wrong.

Keep A Breach Register

UK GDPR requires you to record all personal data breaches, whether or not you notify the ICO. Your log should capture what happened, the assessment of risk and your actions. It’s your evidence that you took accountability seriously.

Over-The-Horizon Risks

New tools bring new risks. If your team is experimenting with AI or cloud storage, sense-check tools and configurations for data protection obligations. If you’re assessing platforms, it may help to review guidance like whether popular services are GDPR compliant to inform your vendor choices and security setup.

Key Takeaways

• You have up to 72 hours to report a data breach to the ICO when it’s likely to result in a risk to people’s rights and freedoms - notify “without undue delay,” and explain any delay beyond 72 hours.
• You must notify individuals “without undue delay” when the breach is likely to result in a high risk to them, especially where sensitive data or financial harm is in play.
• The clock starts when you become aware of the breach, not when you finish investigating. Weekends and bank holidays don’t stop the clock.
• Processors must notify controllers without undue delay; make sure your contracts include a proper Data Processing Agreement with clear breach duties.
• Document everything. Keep a breach register and, where you decide not to notify, record your risk assessment and reasoning.
• Preparation pays off: a practical Data Breach Response Plan, clear policies like your Privacy Policy, and a tested escalation process will help you meet deadlines and limit harm.
• If you handle cookies or tracking, align your consent and disclosures with a proper Cookie Policy, and be ready to handle follow-on requests using solid processes for Subject Access Request deadlines.

If you’d like help assessing a breach, meeting your reporting deadlines or putting robust privacy foundations in place, reach out to our friendly team for a free, no-obligations chat on 08081347754 or team@sprintlaw.co.uk.