Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
Contents
If you run a small business, a data breach can feel like one of those “we’ll deal with it if it ever happens” issues.
But in reality, incidents happen to businesses of every size - from a misplaced laptop to a mis-sent email, a hacked mailbox, or a supplier compromise.
And when it happens, the key is acting quickly and calmly. UK data breach laws (mainly the UK GDPR and the Data Protection Act 2018) don’t expect perfection, but they do expect you to take security seriously, assess risks properly, and report when required.
In this guide, we’ll walk you through what UK data breach rules mean in practice for small businesses, what to do immediately after a breach, when you must report to the ICO, and how to reduce the risk of it happening again.
What Counts As A Data Breach In The UK?
Under the UK GDPR, a personal data breach is a security incident that leads to the accidental or unlawful:
- destruction of personal data
- loss of personal data
- alteration of personal data
- unauthorised disclosure of personal data
- unauthorised access to personal data
“Personal data” means information that relates to an identified or identifiable individual. That can include obvious things like names and email addresses, but also things like customer IDs, online identifiers (such as IP addresses, depending on the context), photos, recordings, and employee records.
Common Small Business Examples Of A UK Data Breach Scenario
When people hear “data breach”, they often picture a dramatic hacker attack. In reality, many breaches are basic day-to-day business mishaps, such as:
- Email mistakes: sending a customer list to the wrong recipient, or CC’ing instead of BCC’ing a mailing list.
- Lost devices: a stolen phone or laptop containing client details or access to business systems.
- Phishing and invoice scams: staff members tricked into giving login credentials or forwarding sensitive documents.
- Access control failures: ex-staff still having access to shared drives or CRM systems.
- Cloud misconfiguration: a shared folder set to “public” accidentally.
- Supplier compromise: your IT provider, payroll provider, or marketing platform gets breached and your customer data is exposed.
Even if you only hold a small amount of personal data, the legal obligations can still apply - especially if the data is sensitive (like health information) or could put someone at risk (like financial details or ID documents).
Why The Definition Matters
The reason it matters is simple: once you have a personal data breach, you need to move into “incident response” mode. That includes assessing risks, documenting what happened, and deciding whether you need to report to the Information Commissioner’s Office (ICO) and/or affected individuals.
If you’re unsure what you’re collecting and storing, it’s a good time to review your Privacy Policy so it matches what your business actually does in practice.
What Should You Do Immediately After A Data Breach?
The first 24–72 hours matter most. Under UK GDPR, you may have to notify the ICO within 72 hours of becoming aware of the breach (more on that below), so you want to be organised from the start.
Here’s a practical, small-business-friendly checklist.
1) Contain The Incident (Stop The Bleeding)
- Disable compromised accounts and reset passwords.
- Revoke access (especially for ex-staff, contractors, or third-party tools).
- Isolate affected devices from your network.
- Stop any unauthorised transfers or automated forwarding rules in email.
- Recover mis-sent information where possible (for example, asking the recipient to delete a document and confirm deletion).
If you use third-party suppliers who process personal data for you, this is also where your contractual setup matters. A properly drafted Data Processing Agreement can help clarify who does what (and how quickly) if there’s an incident.
2) Gather The Facts (Without Guessing)
You don’t need to have every detail on day one - but you should start recording what you know, including:
- what happened and when it was detected
- how it was detected (staff report, monitoring alert, customer complaint)
- what systems, devices, or accounts are involved
- the categories of personal data involved (names, emails, payment info, etc.)
- how many individuals may be affected (even if it’s an estimate)
- what steps you’ve already taken to contain it
A common mistake is trying to “solve” the issue before documenting it. In a stressful moment, it’s easy to forget timelines - and timelines are exactly what you’ll need if you end up reporting to the ICO.
3) Assess The Risk To Individuals
UK data breach laws focus heavily on the potential impact on individuals, not just on your business.
So you’ll need to ask questions like:
- Could someone suffer financial loss?
- Could there be identity theft or fraud?
- Could the breach cause distress, embarrassment, or harm?
- Is any special category data involved (health data, ethnicity, biometrics, etc.)?
- Are children’s data involved?
- Was the data encrypted or otherwise protected?
Even if the breach is “small” (say, one email), the impact could still be high depending on the type of data.
4) Start Your Internal Response Process
This is where having a documented process pays off. Many small businesses don’t need a huge corporate playbook - but you do want a clear plan for:
- who leads the response
- who investigates
- how decisions are made about ICO notification
- how you communicate externally
If you don’t already have one, putting a Data Breach Response Plan in place can help you respond faster and more consistently next time (and demonstrate accountability under UK GDPR).
Do You Have To Report A Data Breach To The ICO Within 72 Hours?
Not every breach must be reported - but some absolutely do.
Under the UK GDPR, you must notify the ICO without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach if the breach is likely to result in a risk to the rights and freedoms of individuals.
So the decision point is risk.
What Does “Becoming Aware” Mean?
You’re generally “aware” when you have a reasonable degree of certainty that a security incident has occurred that has compromised personal data.
That’s important because it means you don’t get to “pause the clock” while you wait for the perfect internal report. If a breach is suspected and there’s credible evidence, you should treat it seriously and start your assessment straight away.
When You’re More Likely To Need To Report
While every situation depends on the specific facts and risk assessment, reporting is more likely to be required where the breach involves:
- financial information (bank details, card details)
- identity data (passport scans, driving licence, NI number)
- login credentials (particularly if they could be used to access accounts)
- special category data (health information, biometric data, etc.)
- large volumes of personal data
- children’s data
When You Might Not Need To Report (But Still Must Record It)
If the breach is unlikely to result in a risk to individuals, you might not need to notify the ICO. Examples could include:
- data was strongly encrypted and the key wasn’t compromised
- you recovered the data quickly and there’s a low likelihood of misuse
- the data was minimal and not sensitive, and you can justify low risk
However, even if you decide not to report, you should still document your decision and reasoning. Accountability is a big theme in UK GDPR compliance - it’s not enough to “do the right thing”; you also need to be able to show how you decided what to do.
What Information Does The ICO Expect In A Report?
In general terms, an ICO breach notification usually covers:
- a description of what happened
- the categories and approximate number of individuals affected
- the categories and approximate volume of personal data records involved
- the likely consequences for individuals
- the measures you’ve taken (or propose to take) to address the breach and reduce harm
- contact details for your business (and your data protection lead, if you have one)
If you can’t provide everything within 72 hours, you may be able to provide information in phases - but you should still report on time where required.
Do You Have To Tell Customers Or Clients About A Data Breach?
Sometimes, yes.
Under UK GDPR, if the breach is likely to result in a high risk to the rights and freedoms of individuals, you must communicate the breach to affected individuals without undue delay.
Think of it like this:
- Risk may trigger an ICO notification.
- High risk may trigger notification to the individuals affected.
What Should The Notification To Individuals Include?
The notification should be clear and in plain English (no legal waffle), and typically includes:
- what happened (in a way people can understand)
- what information was involved
- what the likely risks are for them
- what you’re doing to fix it
- what they can do to protect themselves (for example, resetting passwords, monitoring bank activity)
- how they can contact you for support
This is also a brand and trust moment. Even though it’s stressful, careful communication can reduce complaints and confusion, and shows you’re taking the incident seriously.
When You May Not Need To Notify Individuals
There are limited circumstances where you may not need to notify individuals even if the breach is serious - for example, if you’ve applied effective technical measures like encryption, or you’ve taken steps that mean the high risk is no longer likely to materialise.
These decisions can be nuanced. If you’re on the fence, getting tailored advice early can help you avoid under-reporting (which may lead to ICO scrutiny) or over-reporting (which may unnecessarily damage trust).
How Do You Prevent Another Data Breach (And Show You Take Compliance Seriously)?
Once the immediate firefighting is under control, the next step is making sure you don’t repeat the same problem - and that you can demonstrate good governance if the ICO ever asks questions.
This part is where small businesses can really strengthen their legal foundations.
Review The Root Cause (Not Just The Symptom)
It’s worth doing a short “lessons learned” review, including:
- Was it human error, poor training, lack of process, or malicious activity?
- Were permissions and access controls appropriate?
- Did the breach expose gaps in your security (e.g. no MFA, weak passwords, no device encryption)?
- Did your team know how to spot phishing or suspicious requests?
Fixing the root cause is what reduces your risk long-term - and it’s often what regulators look for.
Update Your Policies And Training
If staff use business systems, shared drives, email, or messaging apps, your internal rules matter. A clear Acceptable Use Policy can set expectations about passwords, device use, downloading files, and handling personal data.
And don’t forget training. Many breaches happen because staff weren’t confident about what to do when something looked suspicious (or because they were rushing and didn’t have a simple process to follow).
Check Your Contracts With Suppliers And Processors
If you outsource any function that involves personal data - like IT support, payroll, booking systems, email marketing, cloud hosting, customer support platforms - you should make sure your contracts reflect UK GDPR requirements.
That includes having the right clauses around security measures, breach notification timeframes, and cooperation if you need to investigate. This is exactly where a properly drafted Data Processing Agreement can make a practical difference, especially when the pressure is on.
Make Sure Your GDPR Documentation Is In Place
If your business collects and uses personal data (which most businesses do), you should have a baseline compliance set-up, including:
- up-to-date privacy notices
- lawful bases identified for processing
- data minimisation practices (only collect what you actually need)
- retention rules (don’t keep data “just in case”)
- a documented approach to responding to data subject requests
For many small businesses, putting a GDPR Package in place early helps you cover the essentials and reduce risk as you grow.
Review Your Data Retention Practices
One overlooked risk factor in a UK data breach situation is keeping too much data for too long. The more you store, the more you can lose.
If you’re not sure what’s reasonable, it helps to align internal processes with sensible data retention periods so personal data is regularly deleted or anonymised when you no longer need it.
Document Everything (Yes, Even The Near Misses)
Even if you don’t report to the ICO, keep an internal record of:
- what happened
- your risk assessment
- why you did or didn’t report
- what remedial actions you took
This documentation can help if the incident escalates later, if individuals complain, or if you see a pattern that suggests a bigger security issue.
Key Takeaways
- Under UK GDPR, a data breach can include lost devices, mis-sent emails, unauthorised access, or accidental disclosure - not just hacking.
- Your first priorities after a data breach are containment, fact-gathering, and a practical risk assessment focused on impact to individuals.
- You must notify the ICO within 72 hours if the breach is likely to create a risk to individuals’ rights and freedoms.
- You may also need to notify affected individuals without undue delay if the breach is likely to result in a high risk to them.
- Even if a breach isn’t reportable, you should still document what happened and why you decided not to report.
- Strong policies, supplier contracts, and GDPR documentation (including data retention practices) can reduce the chance of repeat incidents and show you take compliance seriously.
If you’d like help putting the right legal foundations in place for data protection - or you’re dealing with a data breach right now and need guidance on ICO reporting and next steps - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.
