Key Takeaways
- You must report a GDPR breach to the ICO within 72 hours if the incident could pose a risk to individuals’ rights or freedoms.
- Late or incomplete notification to the ICO can lead to heavy fines, lost trust, and additional scrutiny.
- Not every data breach needs reporting under UK GDPR—use a structured triage checklist for clear decisions.
- Your ICO notification must include key details: the nature of the breach, data categories affected, number of impacted data subjects, and mitigation actions.
- If a breach may result in high risk to people, you also have a duty to inform those affected in clear, plain language (GDPR Article 34).
- Avoid common GDPR reporting pitfalls with a step-by-step process—and keep comprehensive records of every action taken.
- Thorough record-keeping and prompt breach reporting show accountability to the ICO and may lower potential penalties.
- Go-Legal AI gives you instant access to templates, guides, and AI-powered tools for quick, compliant ICO reporting.
- Incorrect or unclear breach reports can cause delays, missed obligations, or damage client and regulator trust.
- Go-Legal AI is rated Excellent on Trustpilot with over 170 five-star reviews from users.
How Do You Report a GDPR Breach to the ICO Within 72 Hours?
A data breach can strike any business, from startups to established SMEs. When it happens, the pressure to make the right decisions mounts quickly. Failing to report a GDPR breach on time—or omitting crucial details—can leave your business facing steep penalties and public loss of confidence.
Under UK GDPR, you must notify the Information Commissioner’s Office (ICO) of most reportable personal data breaches within 72 hours from the moment the breach is discovered. The process can seem daunting, but with the right tools and knowledge, you can respond efficiently and protect your organisation.
This expert guide cuts through the confusion: you’ll learn how to triage incidents, complete the ICO breach notification, and avoid the mistakes most businesses make. Go-Legal AI offers practical checklists and instant templates so you can take action confidently—without legal jargon or extra stress.
What Does Reporting a GDPR Breach to the ICO Mean?
Reporting a GDPR breach to the ICO means formally informing the UK’s data protection regulator that your organisation has suffered a personal data breach and is complying with your statutory duties. This process centres around:
- Identifying whether the breach is “notifiable” under Article 33—meaning it is likely to risk people’s rights and freedoms.
- Acting within the strict 72-hour deadline from when you become aware.
- Providing the ICO with full details using their official notification forms.
What Is a GDPR Breach—and When Must You Report One?
A GDPR breach is any security incident that leads to the unauthorised or accidental loss, destruction, alteration, disclosure, or access to personal data. “Personal data” includes information about identifiable individuals: names, emails, payroll records, addresses, or even customer IP addresses.
Under UK GDPR, you only need to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. This covers risks like financial harm, reputational loss, or exposure of confidential or sensitive data.
Common Reportable Scenarios
- Accidentally emailing sensitive data to the wrong recipient.
- Losing an unencrypted company laptop with employee records.
- Suffering a cyberattack exposing customer details or passwords.
Breaches can be accidental or malicious. Even temporary loss of access may trigger notification if it disrupts service to individuals.
Do I Need to Report This Data Breach? Quick Triage Checklist
To decide if your incident is reportable, follow this triage workflow:
- Has personal data been breached?
– If not, GDPR reporting isn’t needed. - Does the breach impact people’s rights and freedoms?
– Assess whether the incident could cause financial, emotional, reputational, or privacy harm. - Are you a data controller or processor?
– Data controllers must report to the ICO. Processors only report to the controller. - Is the risk minimal or “unlikely”?
– If so, document the incident internally, but notification isn’t required.
GDPR Breach Reporting Triage Table
| Question | Yes | No |
|---|---|---|
| Is personal data involved? | Proceed to risk assessment | No reporting required |
| Risk to individuals likely? | Report to ICO and inform individuals | Keep internal records |
| Are you the data controller? | You must report to the ICO | Notify your controller |
Understanding the 72-Hour GDPR Reporting Rule
Article 33 of the UK GDPR sets a hard 72-hour deadline for reporting notifiable breaches. The clock starts from when any staff member—at any level—realises there may be a breach. This time frame includes weekends and bank holidays.
You don’t need all the facts to meet the deadline. You must:
- Submit an initial notification as soon as possible.
- Provide supplementary updates as you learn more.
How to Report a GDPR Breach to the ICO: Step-by-Step Guide
Follow this structured approach for effective GDPR breach reporting:
1. Confirm the Breach is Reportable
Use our AI triage tool or the checklist above to verify if your incident meets the ICO threshold.
2. Start Documenting Without Delay
Record every step from discovery—who found the breach, when, and what was done.
3. Gather All Necessary Information
Use the table below to prepare exactly what the ICO expects.
| Field | Key Details Required | Example |
|---|---|---|
| Discovery Date/Time | When breach was found | 10:30am, 7 January |
| Nature & Circumstances | How it happened | Phishing attack via email |
| Data Categories | Specific data types affected | Names, addresses, payment details |
| People Affected | Approximate numbers | 250 customers |
| Consequences | Types of risks/harm | Identity theft, stress |
| Mitigation Steps | Actions taken—containment and prevention | Reset passwords, notify clients |
| Contact Details | DPO or breach response lead’s contact details | dpo@yourcompany.co.uk |
4. Complete the ICO Notification Form Online
https://ico.org.uk/for-organisations/report-a-breach
5. Save and Keep All Evidence
Store a copy of your submission and related communications as your compliance record.
⚡ Get legal tasks done quickly
Create documents, follow step-by-step guides, and get instant support — all in one simple platform.
🧠 AI legal copilot
📄 5000+ templates
🔒 GDPR-compliant & secure
🏅 Backed by Innovate UK & Oxford
What Information Should You Include In Your ICO Notification?
The ICO needs clear, comprehensive information to handle your report efficiently. Missing details may prompt delays, follow-up queries, or a request for additional clarification.
| Required Information | What It Means | Why It’s Important |
|---|---|---|
| Nature of the Breach | Description of the incident | Informs ICO risk assessment and advice |
| Data Categories | e.g., financial, health, contact data | Determines severity and required next steps |
| Number of Individuals | Approximate count of those affected | Helps establish the scale of the breach |
| Mitigation Steps | Actions taken to limit or fix the issue | Demonstrates proactive risk minimisation |
| Contact Details | Responsible staff or DPO | Enables prompt ICO correspondence |
When Must You Notify Affected Individuals (Article 34)?
You are obliged to notify individuals if the breach is likely to result in high risk to their rights and freedoms. High risk includes unauthorised disclosure of sensitive information (e.g., health, financial, or ID data) that could lead to fraud or harm.
Notification Guidelines
- Communicate promptly, using clear and plain language.
- Use direct methods—email, post, or phone calls—never rely solely on a website update.
- Include these details:
- What has happened and when
- What personal data is affected
- Your containment/remediation steps
- Advice on what they should do next
What Happens After You Report a GDPR Breach to the ICO?
Once you submit a GDPR breach notification, the ICO will:
- Acknowledge Receipt and Assign a Reference
A confirmation email with a case reference will be sent. - Review Your Submission and Mitigation Efforts
The ICO scans for adequate information, risk assessment, and prompt action. - Request More Information If Needed
If details are missing, expect a follow-up—so initial completeness is key. - Determine Next Steps
Most incidents result in practical guidance. Serious breaches may be formally investigated, leading to a reprimand or fine.
Common GDPR Breach Reporting Mistakes and How to Avoid Them
| Mistake | Why It’s a Problem | How to Prevent It |
|---|---|---|
| Reporting late | Increases risk of fines and warnings | Prepare now with incident response plans and templates |
| Skipping required information | Delays investigation and prolongs stress | Use a full GDPR checklist for every submission |
| Failing to record decisions | Weakens regulatory audit trail | Keep detailed records for all stages and actions |
| Confusing controller/processor | May lead to non-compliance | Know your role and follow correct protocol |
| Underestimating individual risk | Misses crucial notifications | Assess and document impact systematically |
Smarter Record-Keeping and Accountability: Protect Your Business
The UK GDPR expects organisations to prove—through robust records and processes—that they act responsibly at every stage.
Best Practices
- Log when and how each breach is discovered.
- Keep a structured trail of all actions and risk assessments.
- Save all communications, including ICO correspondence and notices to individuals.
- Retain breach records (including non-reported incidents) for at least six years.
⚡ Get legal tasks done quickly
Create documents, follow step-by-step guides, and get instant support — all in one simple platform.
🧠 AI legal copilot
📄 5000+ templates
🔒 GDPR-compliant & secure
🏅 Backed by Innovate UK & Oxford
How Go-Legal AI Makes GDPR Breach Reporting Simple
- Access step-by-step breach guides tailored for startups and SMEs.
- Use our AI-powered risk triage to instantly check if your incident is reportable under UK GDPR.
- Complete lawyer-drafted Article 33 (ICO notification) and Article 34 (individual notification) templates in minutes.
- Ensure reports are comprehensive and compliant—our pre-submission checks catch legal gaps before you file.
- Manage everything affordably, backed by 170+ five-star reviews and leading data security standards.
Frequently Asked Questions
Can I update my ICO breach report later?
Yes. If you discover new information, submit an updated report to the ICO as soon as possible. Supplementary reports demonstrate honesty and responsible management.
What if I miss the 72-hour deadline?
Submit as soon as you can, explaining the reasons for delay. The ICO will review the circumstances and your documentation—good records can help reduce penalty risks.
Do both controllers and processors report breaches?
Processors must notify the data controller “without undue delay” if a breach occurs. Only the controller is legally obligated to notify the ICO.
What penalties might I face for not notifying the ICO?
Substantial fines—up to £8.7 million or 2% of annual global turnover (whichever is higher)—are possible. Early, complete notification is the best protection for your business.
How do I assess if individuals’ rights and freedoms are at risk?
Look for potential harm: financial loss, stress, discrimination, or compromised confidentiality. If harm is possible, notification is usually required.
Should I report a GDPR breach by phone or online?
Almost all cases should use the ICO’s online notification form. For urgent support, the ICO’s helpline is available—but keep written records for every interaction.
Is legal review needed before ICO notification?
Not always, but pre-submission legal review using our templates ensures your report is thorough and compliant, reducing the chance of accidental errors.
How long should I keep breach records?
Keep all records related to breaches for at least six years—this includes decision logs, notifications, and all correspondence.
Am I always required to notify affected individuals?
No. Notification is only necessary if there is a “high risk” to people’s rights and freedoms. If you decide not to notify, document your rationale and risk assessment carefully.
Can Go-Legal AI help with broader GDPR compliance?
Absolutely. Our solutions cover DSARs, privacy policies, DPA contracts, and GDPR staff training—each designed for the needs of UK startups and small businesses.
Report a GDPR Breach to the ICO With Total Confidence
Knowing how—and crucially, when—to report a GDPR breach is vital for every UK business. Acting rapidly and submitting a full, accurate ICO notification protects you from penalties, maintains customer trust, and proves your commitment to data protection law. Relying on guesswork or missing key steps puts your business at risk of regulatory fines and lasting reputational damage.
Our technology ensures you never face GDPR incident reporting alone. Go-Legal AI’s triage tools, lawyer-approved templates, and secure records platform take you from uncertainty to full compliance in minutes—every time a breach risk arises. Want to make incident reporting faster, safer, and stress-free? Start your free trial today and transform your GDPR obligations into a competitive advantage.
⚡ Get legal tasks done quickly
Create documents, follow step-by-step guides, and get instant support — all in one simple platform.
🧠 AI legal copilot
📄 5000+ templates
🔒 GDPR-compliant & secure
🏅 Backed by Innovate UK & Oxford
Access to legal templates (3 downloads/month)
