When Should A Data Breach Be Reported In The UK?

If your business handles any personal data – even just names and email addresses – you need a clear plan for what happens if something goes wrong.

Data breaches can happen to any business, big or small. The key is knowing when a breach must be reported, who to tell, and how quickly you need to act under UK law.

In this guide, we break down when a data breach should be reported, how to assess risk, and the steps you can take to protect your business and meet your UK GDPR obligations.

What Counts As A Reportable Data Breach Under UK GDPR?

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, a “personal data breach” is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In plain English: if personal data is exposed, changed, lost, or accessed by someone who shouldn’t have it, you may be dealing with a personal data breach.

Examples Small Businesses Commonly See

• Sending an invoice with customer details to the wrong email address
• A stolen laptop or phone containing unencrypted client data
• Malware or ransomware encryption making customer records temporarily unavailable
• Staff accidentally sharing a spreadsheet of employees’ personal information in a public folder
• Unauthorised access to your CRM due to a compromised password

Not every incident needs to be reported. The duties to report depend on the likely risk to people’s rights and freedoms (think: could this cause harm like fraud, identity theft, discrimination, financial loss, distress, or reputational damage?).

Personal Data Vs. Other Information

Personal data is any information relating to an identified or identifiable person – names, emails, phone numbers, addresses, IP addresses, customer IDs, and so on. “Special category” data (like health data, biometric data, or information on religious beliefs) carries higher risk and often pushes incidents into reportable territory if breached.

Commercial information without a link to individuals (e.g., a product price list) isn’t personal data – though it may still be sensitive for business reasons. The UK GDPR reporting rules focus on personal data breaches.

Do You Need To Report Every Breach? The 72-Hour Rule And Thresholds

Here’s the headline rule: you must notify the Information Commissioner’s Office (ICO) without undue delay, and where feasible within 72 hours, after becoming aware of a personal data breach if it’s likely to result in a risk to individuals’ rights and freedoms.

If the breach is unlikely to result in risk, you don’t have to report to the ICO – but you must document it internally. Accountability is a core UK GDPR principle: you need a record of all breaches, your assessment, and your decision either way.

How To Decide If There’s “Likely Risk”

Ask these practical questions. If the answer is “yes” to one or more, you’re likely in reporting territory:

• Is the data sensitive (e.g., financial data, health information, login credentials, identity documents)?
• Is there a realistic risk of harm (e.g., fraud, identity theft, discrimination, embarrassment)?
• Is a large number of people affected, or is the impact on even a small number likely to be serious?
• Was the data unencrypted or easily readable by unauthorised parties?
• Are vulnerable individuals or children involved?

When You Must Notify Individuals Too

If the breach is likely to result in a high risk to individuals’ rights and freedoms, you must communicate the breach to those individuals without undue delay. This is separate from reporting to the ICO and focuses on helping people take steps to protect themselves (e.g., resetting passwords, monitoring bank statements).

High risk usually involves sensitive data, significant potential harm, or situations where the data is already in unauthorised hands. If you’ve implemented strong technical measures (like robust encryption) that render the data unintelligible, you may not need to notify individuals even if you report to the ICO.

What If You Can’t Get Everything Done In 72 Hours?

If you can’t supply all details within 72 hours, report what you can and provide additional information as it becomes available. The law recognises that incidents unfold fast – the important part is acting promptly and documenting your decisions and timelines.

Who Do You Tell - ICO, Individuals, Partners?

Who you notify depends on your role (controller or processor) and the nature of the incident.

If You Are The Controller

• Assess the breach promptly.
• If risk is likely, notify the ICO within 72 hours of becoming aware.
• If high risk is likely, notify affected individuals without undue delay.
• Document the breach, assessment, decision and any remedial steps.

If You Are The Processor

• You must notify the controller without undue delay once you become aware of a breach.
• The controller decides whether to notify the ICO and individuals.
• Cooperate with the controller’s investigation and containment steps.

What About Third Parties And Partners?

Your contracts should set out who informs whom, how fast, and what level of cooperation is expected. This is where a well-drafted Data Processing Agreement (for processors) or a Data Sharing Agreement (for controllers sharing personal data) becomes essential. Clear contractual duties help avoid finger‑pointing and delays when minutes matter.

Cross-Border Considerations

If you operate in both the UK and EU, you may have reporting obligations under the EU GDPR as well. The underlying principles are similar, but you’ll need to consider which supervisory authority is competent and whether notifications must be made in multiple jurisdictions. Seek tailored advice if you’re in this situation.

How To Assess, Contain And Document A Breach: A Step-By-Step Plan

A quick, structured response reduces harm and shows the ICO you’ve taken your obligations seriously. Build these steps into your incident response plan.

1) Identify And Contain

• Confirm what happened, when, and how you became aware.
• Stop the bleeding: revoke access, isolate affected systems, change credentials, disable compromised accounts.
• Preserve evidence for investigation and potential forensic analysis.

2) Assess The Impact

• What personal data is involved? Is it sensitive or special category?
• How many individuals and which categories (customers, employees, children)?
• Was the data encrypted? Could unauthorised parties read or misuse it?
• What harm might occur, and how likely is it?

3) Decide On Notifications

• Is risk likely? If so, notify the ICO within 72 hours where feasible.
• Is high risk likely? If so, notify affected individuals without undue delay.
• Tailor communications: plain language, what happened, what you’re doing, what people can do.

4) Document Everything

• Keep a breach register covering facts, effects, the risk assessment, decisions and timelines.
• Record your rationale if you decide not to notify the ICO.
• Note steps taken to prevent recurrence.

5) Remediate And Learn

• Patch vulnerabilities, retrain staff, update policies and contracts.
• Consider whether your Data Breach Response Plan needs a refresh.
• Review data minimisation and retention policies so you’re not holding more data than needed.

Practical Tip: Prepare Your Templates

Have draft templates ready for ICO notifications and individual communications. In a crisis, you don’t want to start from scratch. Your plan should also name your internal incident team, legal contact, and technical leads, with roles and handover steps if someone is on leave.

Common Breach Scenarios For SMEs (And How To Decide)

Let’s walk through scenarios small businesses encounter and how to approach the reporting decision.

Mis-Sent Email With Customer List Attached

You accidentally email a spreadsheet with names, emails, phone numbers and addresses to the wrong recipient. The file is unencrypted.

• Risk assessment: Personal data exposed; potential for nuisance, phishing or fraud.
• Decision: Likely risk. Notify the ICO within 72 hours. If the data enables targeted scams or identity theft (e.g., includes dates of birth), consider notifying individuals (high risk).
• Containment: Ask the recipient to delete and confirm in writing, but don’t rely on this alone to avoid notification.

Ransomware Encrypts Your CRM, No Exfiltration Evidence

Your CRM is encrypted by malware; logs show no data exfiltration, and the database at rest was encrypted.

• Risk assessment: Temporary loss of access to personal data can still be a breach (availability). If backup restoration is quick and no data left your systems, risk may be low.
• Decision: Possibly no ICO notification required if risk is unlikely, but document your analysis and evidence. If special category data was involved or downtime caused harm, reassess.

Employee Loses An Unencrypted Phone With Client Messages

A staff member misplaces a phone containing client communications and photos. No screen lock or MDM.

• Risk assessment: Unauthorised access likely; content might be sensitive.
• Decision: Likely risk (and potentially high risk). Notify the ICO and consider notifying individuals promptly with practical steps to protect themselves.
• Lesson: Enforce device encryption and MDM; restrict local storage.

Supplier Incident Affecting Your Customers

Your cloud provider suffers a breach impacting your customers’ personal data.

• Risk assessment: Depends on the data and exposure at your processor.
• Decision: As controller, you assess and decide on ICO and individual notifications. Your Data Processing Agreement should require prompt supplier notifications and cooperation.

Accidental Deletion Of Historical HR Files With Backups

An admin deletes archived HR files, but your backups restore them within hours.

• Risk assessment: Short-term availability issue, quickly resolved; low risk of harm to individuals.
• Decision: Unlikely risk, so no ICO notification, but record the breach and implement controls to prevent recurrence.

Prevention: Policies, Contracts And Compliance That Reduce Risk

No one can eliminate risk entirely, but strong preventative measures reduce the chance and impact of a breach – and demonstrate compliance to the ICO if an incident happens.

Get Your Policies In Order

• Publish a clear, accurate Privacy Policy that reflects what you collect, why, and for how long.
• Adopt a Data Breach Response Plan so roles, timelines and templates are ready.
• Maintain a sensible data retention schedule aligned with your legal obligations; this pairs well with guidance on data retention.

Harden Your Tech And Processes

• Encrypt data at rest and in transit; enforce MFA for systems holding personal data.
• Use MDM on laptops and phones; enable remote wipe and screen locks.
• Practice least‑privilege access; review permissions regularly.
• Train staff on phishing, secure sharing, and incident reporting.
• Test backups and disaster recovery; ensure you can restore quickly.

Tighten Contracts With Vendors And Partners

• Put a robust Data Processing Agreement in place with processors (cloud, payroll, marketing tools) covering breach notifications, security standards and cooperation.
• Use a Data Sharing Agreement where you share personal data with other controllers.
• Ensure your marketing tech and website tools are covered by a compliant Cookie Policy and that your consent mechanisms reflect best practice – see practical tips on cookie banners.

Be Ready For Individuals’ Rights

Breach fallout often includes an uptick in data rights requests (access, deletion, restriction). Make sure your team can recognise, log and respond to these quickly and lawfully – understanding the SAR deadlines will help you stay compliant under pressure.

Minimise The Data You Hold

If you don’t have it, it can’t be breached. Review what you collect and keep, and align it to what’s genuinely necessary for your purposes. Data minimisation and shorter retention windows reduce both risk and reporting burdens.

Plan, Test, Repeat

Run tabletop exercises. Simulate a mis-sent email, a ransomware event, or a supplier breach. Practising your response – from technical containment through to drafting notifications – turns a chaotic scramble into a controlled process.

Key Takeaways

• You must notify the ICO without undue delay (ideally within 72 hours) when a personal data breach is likely to pose a risk to people’s rights and freedoms. If high risk is likely, you must also notify the affected individuals.
• Not every incident is reportable – but every incident should be logged and assessed. Document your decision, evidence, and remediation steps to meet UK GDPR accountability duties.
• Controllers decide on notifications; processors must inform controllers without undue delay. Your contracts should clearly set out breach notification and cooperation duties.
• Act fast and follow a structured plan: contain, assess impact, decide on notifications, document, and remediate. Having a prepared Data Breach Response Plan saves precious time.
• Prevention matters: a clear Privacy Policy, strong security controls, and tight vendor agreements like a Data Processing Agreement and Data Sharing Agreement reduce both the likelihood and severity of breaches.
• Build capability for related compliance pressure (requests from individuals, cookie compliance, data retention). Align your processes with SAR timelines, an appropriate Cookie Policy, and sensible data retention rules.

If you’d like help assessing a breach, drafting notifications, or putting solid privacy documents and contracts in place, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no‑obligations chat.