Summary
- A personal data breach occurs when personal data is lost, destroyed, altered, or disclosed or accessed without authorisation, whether deliberately or by accident.
- A data controller must report a notifiable breach to the Information Commissioner’s Office within 72 hours of becoming aware of it.
- A business must tell affected individuals where a breach creates a high risk to their rights and freedoms, and must record every breach, including those it does not report.
- This guide explains how to handle a personal data breach under UK GDPR for businesses in the United Kingdom.
- LegalVision’s business lawyers specialise in advising clients on UK GDPR data breach response and compliance.
Tips for Businesses
Prepare a written data breach response plan that assigns roles and escalation steps. Record the time you became aware of each breach, then assess the risk to individuals. Report notifiable breaches to the ICO within 72 hours. Document every breach, including those you decide not to report.
A personal data breach happens when personal data is lost, destroyed, altered, or disclosed or accessed without authorisation. Under UK GDPR and the Data Protection Act 2018, the Information Commissioner’s Office (ICO) requires data controllers to report a notifiable breach within 72 hours of becoming aware of it. You must notify affected individuals where the breach creates a high risk to their rights and freedoms. The ICO now expects organisations to report early and update later, rather than wait for a full investigation. Every breach must be recorded, even those you decide not to report. This article explains how to assess, contain, report and document a personal data breach under UK GDPR.
What is a Personal Data Breach?
A personal data breach occurs where a security incident leads to the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
This includes both deliberate and accidental incidents. For example, a breach may arise if you send an email to the wrong person, lose a device containing client data or experience a cyberattack that exposes information.
What Are Your Legal Responsibilities?
Your obligations depend on whether you act as a data controller or a data processor.
| Data Controller | Data Processor |
| If you are a controller, you decide how and why personal data is processed. You must investigate the breach and determine whether it is reportable. Where required, you must notify the Information Commissioner’s Office (ICO) and affected individuals. | If you are a processor, you act on behalf of a controller. You must notify the controller without undue delay after becoming aware of a breach. Your contract may require you to notify within strict timeframes, and failing to meet these can result in a breach of contract. |
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
When Must You Notify the ICO?
If you are a controller, you must notify the ICO where a breach is likely to result in a risk to individuals’ rights and freedoms.
You must do this within 72 hours of becoming aware of the breach. This timeframe starts when you have sufficient awareness that a breach has occurred, even if your investigation is ongoing.
When Must You Notify Affected Individuals?
You must notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Your communication must explain what happened, what data was affected and what steps individuals should take to protect themselves.
This factsheet sets out how your business can become GDPR compliant.
How Should You Respond to a Data Breach?
You must act immediately to contain the breach and prevent further unauthorised access or disclosure. You must then assess the breach by identifying the data involved, the number of individuals affected and the likelihood of harm.
If the breach meets the reporting threshold, you must notify the ICO and affected individuals without delay. You must document the incident, including your assessment and decisions.
What Happens If You Fail to Report a Breach
Failing to report a notifiable breach within 72 hours is itself a breach of UK GDPR. The ICO can take enforcement action even where the original incident caused limited harm.
For serious infringements, the ICO can issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher. For less serious infringements, including some reporting failures, fines can reach £8.7 million or 2% of turnover.
In practice, the ICO weighs how quickly you acted, whether you cooperated and what steps you took to limit harm. A late report with a clear explanation is treated differently from a breach you concealed.
Beyond fines, you may face an ICO investigation, claims from affected individuals and contractual disputes with clients. Recording your assessment and decisions, even for breaches you do not report, gives you evidence that you met your obligations if the ICO later asks.
Why Do You Need a Data Breach Response Plan?
A documented response plan allows you to act quickly and consistently.
It should allocate responsibility, set escalation procedures and outline how you communicate with regulators and affected individuals. Without a plan, you increase the risk of delayed reporting and non-compliance.
Key Takeaways
You must assess every personal data breach quickly and determine whether it is reportable under UK GDPR. If you are a controller and the breach creates a risk to individuals, you must notify the ICO within 72 hours and notify affected individuals where there is a high risk. You must document all breaches, including those that are not reported. A clear response plan and early legal advice will help you meet your obligations and reduce risk.
LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced data, privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.
Frequently Asked Question
Do you have to report every data breach to the ICO?
No. You must report a breach only where it is likely to result in a risk to individuals’ rights and freedoms. If you decide a breach is not reportable, you must record your reasoning and keep that record.
What is the difference between a data controller and a data processor?
A data controller decides why and how personal data is processed and carries most UK GDPR obligations. A data processor acts on the controller’s instructions. A processor must tell the controller about a breach without undue delay, and the controller decides whether to notify the ICO.
What fines can the ICO issue for a data breach?
The ICO can fine up to £17.5 million or 4% of annual worldwide turnover, whichever is higher, for serious infringements. Less serious infringements, including some failures to report, can attract fines of up to £8.7 million or 2% of turnover.
When must you tell affected individuals about a data breach?
You must tell affected individuals where the breach is likely to result in a high risk to their rights and freedoms. Your message must explain what happened, what data was involved and what steps people should take to protect themselves.
We appreciate your feedback! Request your free consultation now.
