How Quickly Should A Data Breach Be Reported In The UK?

If something goes wrong with personal data in your business, time starts ticking immediately.

Under UK law, some breaches must be reported fast - and getting those early decisions right can make the difference between a manageable incident and a costly regulatory headache.

In this guide, we’ll break down exactly how quickly a data breach should be reported, who you need to notify, and what to do in the crucial first 72 hours so your business stays compliant and protected.

What Counts As A Reportable Data Breach?

A “personal data breach” is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. That includes things like sending customer details to the wrong recipient, losing an unencrypted laptop, or a cyber‑attack that exposes staff records.

But not every incident must be reported to the regulator. Under the UK GDPR and the Data Protection Act 2018, you must assess the risks to people’s rights and freedoms. If a breach is likely to result in a risk to individuals (for example, risk of identity theft, financial loss, discrimination, or distress), it’s “notifiable” to the ICO. If the risk is low, you still need to record it internally, but you may not need to notify.

Quick Examples

• Mis-sent email with non-sensitive information to a trusted supplier: likely low risk - record internally, improve processes.
• Ransomware on your order database with encrypted backups and no evidence of exfiltration: risk assessment needed - may be notifiable depending on facts.
• Spreadsheet of customer addresses and card partials posted publicly: high risk - notify ICO and affected individuals.

It’s essential to keep a breach log regardless of severity. The ICO can ask to see it, and it demonstrates accountability.

How Quickly Should You Report A Breach In The UK?

The headline rule: if a breach is notifiable, you must report it to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it.

If you take longer than 72 hours, you’ll need to explain the reasons for the delay in your report. “Becoming aware” means you have a reasonable degree of certainty that a security incident has occurred and it has led to a personal data breach. You don’t need to have all the answers to notify - you can file an initial report and follow up with more detail as your investigation progresses.

Do Processors Have A Deadline Too?

Yes. If you process personal data on behalf of a client (you’re a “processor”), you must notify the client (the “controller”) without undue delay after becoming aware of a breach. The controller then decides whether the ICO and individuals need to be informed. Make sure your Data Processing Agreement sets clear notification timelines and points of contact.

What About Other Laws?

Sector-specific rules can add additional timelines (e.g. FCA, NIS Regulations for essential services/digital providers). If your breach involves electronic marketing data or cookies, consider obligations under PECR alongside UK GDPR.

Who Must You Notify - ICO, Individuals, Partners?

Three potential audiences may need to be notified, depending on the risk and your role.

1) The ICO (Regulator)

Notify the ICO within 72 hours for notifiable breaches. Use the ICO’s online form and provide as much information as you reliably can at the time.

2) Affected Individuals

If the breach is likely to result in a high risk to individuals’ rights and freedoms, you must inform them without undue delay. Your message should be in clear, plain language and tell people what happened, what data is impacted, the likely consequences, and what they can do to protect themselves (e.g. reset passwords, watch for phishing, contact their bank).

High risk often arises where special category data is involved, large volumes of data are affected, or the breach could expose individuals to fraud or harm. If you take effective measures that remove the high risk (e.g. strong encryption), you may not need to inform individuals, even if you still notify the ICO.

3) Contractual Partners (Controllers/Processors)

If you share data with suppliers or partners, check your contracts. Your Data Sharing Agreement and any Data Processing Agreement should set out who tells whom, in what timeframe, and who handles communications with the ICO and customers.

What To Do In The First 72 Hours

Those first three days can be hectic. Here’s a practical timeline that keeps you onside with UK GDPR while reducing harm.

Hour 0–12: Contain And Triage

• Secure systems, revoke access, isolate affected devices and accounts, and engage your IT team or incident response provider.
• Start your internal incident record: date/time discovered, who’s involved, what systems/data could be in scope.
• Assemble your response team: senior decision-maker, DPO/privacy lead, IT/security, communications, and legal.
• Activate your Data Breach Response Plan if you have one (if not, create a simple checklist now for future readiness).

Hour 12–36: Assess Risk And Decide On Notification

• Identify the categories and volume of personal data involved (names, contact details, financial data, special category data, children’s data, etc.).
• Assess the likelihood and severity of harm to individuals. Consider whether encryption or other controls were in place and effective.
• Decide if the breach is notifiable to the ICO. If the risk is “likely,” start drafting your report - you can update it later as facts firm up.
• If you’re a processor, inform the controller without undue delay and pass relevant facts promptly.

Hour 36–72: Prepare And Submit Notifications

• File the initial report to the ICO within 72 hours. If certain information is not yet available, say so and provide a timeline for updates.
• If there is a high risk to individuals, prepare clear communications to affected people and send them without undue delay.
• Prepare FAQs and a holding statement for staff and customer support so messaging is consistent and helpful.
• Plan any further remediation: password resets, forced logouts, patching, and monitoring for misuse.

Throughout, keep detailed notes. Documentation shows you acted quickly and responsibly - a key factor the ICO considers.

What To Put In Your Report (And Penalties For Delay)

Your ICO report should cover the key facts and your response. If you don’t have everything yet, submit what you know and follow up with additional information as soon as you can.

Essential Elements To Include

• What happened and when you became aware.
• Categories and approximate number of individuals and records affected.
• Likely consequences for individuals.
• Measures you’ve taken or propose to take to address the breach and mitigate harm.
• Contact details for your privacy lead or DPO.
• Whether affected individuals have been informed or will be informed, and how.

If You Miss The 72‑Hour Window

Explain the reasons for the delay in your submission. The ICO can take enforcement action for non-compliance, including reprimands, orders to take specific steps, and monetary penalties. Fines depend on severity, harm, and your overall accountability approach. Demonstrating prompt action, transparency, and solid remediation reduces risk.

Remember that GDPR timelines apply across other privacy rights too - for instance, you usually must respond to subject access request deadlines within one month. A breach doesn’t pause those obligations, so plan resources accordingly.

Prepare Now: Policies, Contracts And Training

The easiest way to meet the 72‑hour deadline is to prepare before anything goes wrong. That way, you won’t be scrambling for answers or approval chains at the worst possible moment.

1) Put The Right Documents In Place

• Data Breach Response Plan: A clear playbook for roles, triage steps, decision criteria, and notification templates.
• Privacy Policy: Transparent notices build trust and reduce confusion when you need to contact customers.
• Data Processing Agreement: Mandatory where suppliers handle personal data for you, with breach notification clauses and security standards.
• Data Sharing Agreement: For controller-to-controller sharing, clarifying responsibilities and incident handling.
• GDPR Package: Policies and procedures covering data mapping, DPIAs, retention, and incident response so you’re protected from day one.

2) Tighten Your Technical And Organisational Measures

• Encrypt mobile devices and sensitive data at rest and in transit.
• Enable MFA, patch promptly, and monitor for suspicious activity.
• Limit access on a need‑to‑know basis and maintain an asset inventory.
• Set retention rules and securely delete data you no longer need.

3) Train Your Team And Run Tabletop Drills

• Staff should know how to spot phishing and how to escalate incidents quickly.
• Run a short simulation twice a year so everyone is confident about who does what in the first hours.
• Make it easy to report near‑misses - early flags save time later.

4) Keep Your Records In Order

• Maintain a central breach log, risk assessments, and decision notes for each incident.
• Have up‑to‑date supplier lists and data maps so you can quickly understand what’s at stake.

5) Look Beyond The Obvious

Don’t forget about web tracking and marketing data. Ensuring your cookie banners and consent settings are configured properly can reduce both breach risks and regulatory scrutiny if analytics data is involved in an incident.

Key Takeaways

• Report notifiable breaches to the ICO without undue delay and, where feasible, within 72 hours of becoming aware - late notifications must be justified.
• Inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Processors must notify controllers quickly; make sure your contracts (like a Data Processing Agreement) set clear timelines and responsibilities.
• You don’t need all the facts to notify - submit an initial report and follow up as your investigation develops.
• Preparation is everything: a clear Data Breach Response Plan, robust security, and staff training make the 72‑hour window achievable.
• Have core privacy documents in place - a user‑friendly Privacy Policy, appropriate sharing and processing contracts, and a practical compliance framework such as our GDPR Package.

If you’d like help setting up your breach response, reviewing contracts, or navigating a live incident, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.