Skip to content

When Does My Company Have to Report Data Breaches to the ICO in the UK?

Table of Contents

If your company suffers a data breach, you must report this as per the data protection rules. The Information Commissioner’s Office (ICO) is an independent body aiming to help organisations in England comply with data protection law. In particular, they seek to enforce the rules within the General Data Protection Regulation (GDPR). This article will detail the circumstances in which your business should report data breaches to the ICO to ensure your company complies with the relevant rules and avoids financial penalties. 

When Does My Business Need to Report a Data Breach to the ICO?

Your organisation must notify the ICO of a breach if:

  • a personal data breach has occurred; and
  • that breach could likely result in a risk to people’s rights and freedoms.

What is a ‘Personal Data Breach’?

A personal data breach occurs when there is a security breach leading to the:

  • accidental or unlawful destruction, loss or alteration of personal data;
  • unauthorised disclosure of personal data; or
  • unauthorised access to personal data.

Security breaches include both accidental and deliberate access.  

An example of accidental access would be a member of HR sending a copy of an occupational health assessment to the wrong employee. The assessment might contain the recipient’s colleague’s full name, national insurance number and sensitive medical history. This showcases how personal information may accidentally spread without proper authorisation.

In contrast, an example of deliberate unauthorised access would be a cyber-attack on your company, resulting in cyber-criminals obtaining your customers’ payment details.

How Does a Breach ‘Risk People’s Rights and Freedoms’?

Both examples mentioned above constitute a risk to someone’s rights and freedoms. In the first example (sending occupational health materials to the wrong staff member), someone’s sensitive personal information mistakenly goes to a colleague without their consent. This is a significant breach of trust and their right to privacy.

The second example (a cyber-attack resulting in the theft of customer payment details) puts those customers at risk of identity fraud and financial loss. Therefore, it is simple to satisfy this second element. 

Consequently, if your company concludes that a personal data breach does not constitute a risk to rights and freedoms, it should thoroughly document its reasons for that decision.

However, there are occasional instances where a personal data breach does not significantly impact the rights and freedoms of individuals. For example, you unlikely need to report a breach to the ICO if it involves:

  • losing a printed staff telephone extension number sheet;
  • the accidental deletion of a spreadsheet containing staff preferences for an upcoming team meal; and
  • emailing the wrong payslip to an employee but successfully recovering the email before the staff member opens it.

What Happens if a Data Breach Passes Both Tests?

In that situation, your business should report the breach to the ICO through their website within 72 hours. Alternatively, if your organisation notifies the ICO after 72 hours, it should explain the delay. You should carefully consider these reasons because missing the 72-hour deadline is a technical breach of the GDPR and may result in a fine.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What to Include in a Breach Notification?

Your business needs to try and summarise its concerns about the relevant breach. In particular, you should try to include:

  • details of the breach and whether you believe it was accidental or deliberate;
  • the likely number of individuals affected by the breach;
  • the contact details of your data protection officer (if your business has one);
  • a prediction of the likely consequences of the breach; and
  • any measures you take (if any) to mitigate and deal with the initial impact of the data breach.

What Happens After I Notify the ICO?

Following receipt of your breach notification, the ICO will start an investigation. They are likely to ask some supplementary questions and consider the seriousness of the breach and whether your company could have done something to avoid it in the first place.

If the ICO concludes that the data breach was serious and constitutes a breach of the GDPR, they will consider any appropriate enforceable action against your organisation. Enforcement action could range from asking your company to implement procedures to avoid future breaches or imposing a financial penalty to reflect the potential harm to the individuals involved.

Key Takeaways

Following data protection rules can reduce the likelihood of needing to report a data breach to the ICO. However, if they occur, it is essential to comply with the 72-hour deadline. Your business must assess whether the breach involves personal data and whether it risks individual rights and freedoms and report to the ICO accordingly. 

If you need help with data protection rules and data breach notifications to the ICO, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Why do organisations have to report themselves to the ICO?

The Information Commissioner’s Office relies on self-reporting under the provisions of the GDPR. While it may be tempting not to mention data breaches, organisations that do so can receive hefty financial penalties from the ICO.

Does the ICO treat accidental breaches differently from deliberate breaches?

This will depend on the exact circumstances. However, the ICO will likely impose a harsher penalty upon a cyber-attack on a weak IT system with minimal data security than the accidental distribution of an email to an incorrect recipient.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards