Skip to content
LegalVision UK

When Does My Company Have to Report Data Breaches to the ICO in the UK?

By Tom Khalid
Trainee Solicitor

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • A reportable breach is one involving personal data that is likely to risk people’s rights and freedoms, assessed against both tests before notifying.
  • You must report a qualifying breach to the ICO within 72 hours of becoming aware of it, and explain any delay if you miss that deadline.
  • Your notification should describe the breach, the likely number of people affected, any data protection officer contact details, likely consequences, and the steps you have taken to mitigate it.
  • This guide explains when and how to report a data breach to the ICO for businesses in the United Kingdom.
  • LegalVision’s business lawyers specialise in advising clients on data protection and ICO breach notification.

Tips for Businesses

Run both tests before you act: confirm personal data was involved, then assess the risk to individuals. Start the 72-hour clock from the moment you become aware. Document every breach and your reasoning, even when you decide not to report.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Under UK GDPR and the Data Protection Act 2018, your business must report a personal data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it, but only where the breach is likely to risk people’s rights and freedoms. A personal data breach covers accidental or unlawful loss, destruction, alteration, unauthorised disclosure of, or access to personal data. Two questions decide whether you report: has personal data been breached, and does that breach pose a risk to individuals. If both are met, you notify the ICO and document your reasoning either way. This article explains when and how to report a data breach to the ICO for businesses in the United Kingdom.

When Does My Business Need to Report a Data Breach to the ICO?

Your organisation must notify the ICO of a breach if:

  • a personal data breach has occurred; and
  • that breach could likely result in a risk to people’s rights and freedoms.

What is a ‘Personal Data Breach’?

A personal data breach occurs when there is a security breach leading to the:

  • accidental or unlawful destruction, loss or alteration of personal data;
  • unauthorised disclosure of personal data; or
  • unauthorised access to personal data.

Security breaches include both accidental and deliberate access.  

An example of accidental access would be a member of HR sending a copy of an occupational health assessment to the wrong employee. The assessment might contain the colleague’s full name, national insurance number and sensitive medical history. This showcases how personal information may accidentally spread without proper authorisation.

In contrast, an example of deliberate unauthorised access is a cyber-attack on your company that results in cybercriminals obtaining your customers’ payment details.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

How Does a Breach ‘Risk People’s Rights and Freedoms’?

Both examples mentioned above pose a risk to someone’s rights and freedoms. In the first example, sending occupational health materials to the wrong staff member results in sensitive personal information being accidentally shared with a colleague without consent.  This is a significant breach of trust and privacy.

The second example — a cyber-attack resulting in the theft of customer payment details — puts those customers at risk of identity fraud and financial loss. Therefore, it is simple to meet the requirement of showing a risk to individuals. 

Consequently, if your company concludes that a personal data breach does not constitute a risk to rights and freedoms, the reasons for that decision should be documented. 

There are occasional instances in which a personal data breach does not significantly impact the rights and freedoms of individuals. For example, you likely do not  need to report a breach to the ICO if it involves:

  • losing a printed staff telephone extension number sheet;
  • the accidental deletion of a spreadsheet containing staff preferences for an upcoming team meal; and
  • emailing the wrong payslip to an employee, but successfully recovering the email before the staff member opens it.

What Happens if a Data Breach Passes Both Tests?

In this situation, your business should report the breach on the ICO website within 72 hours. Alternatively, if your organisation notifies the ICO after 72 hours, you must explain the delay in detail. 

Failure to meet the 72-hour timeframe is a technical breach of the GDPR and may result in a fine.

What to Include in a Breach Notification?

Your business should provide a summary of its concerns about the breach, including: 

  • details of the breach and whether you believe it was accidental or deliberate;
  • the likely number of individuals affected by the breach;
  • the contact details of your data protection officer (if your business has one);
  • a prediction of the likely consequences of the breach; and
  • any measures you take (if any) to mitigate and deal with the initial impact of the data breach.

Key Statistics

  1. 3,600 incidents: data security incidents reported to the ICO in Q4 2025, a 16% increase year on year.
  2. 77%: share of reported incidents in 2025 that were non-cyber, such as data emailed to the wrong recipient, rather than malicious cyber attacks.
  3. £17.5 million or 4% of turnover: the maximum ICO fine for the most serious breaches of UK GDPR, whichever figure is higher.

Sources

  • Information Commissioner’s Office, Data security incident trends, 2025
  • Information Commissioner’s Office, Penalties (UK GDPR and DPA 2018)

What Happens After I Notify the ICO?

Following receipt of your breach notification, the ICO will begin an investigation. They are likely to ask follow-up questions and evaluate the breach’s severity and whether it could have been avoided. 

If the ICO determines that the data breach was serious and violated the GDPR, it may take enforcement action against your organisation. This could involve instructing your organisation to improve procedures or issuing a fine reflecting the potential impact on individuals.

How Can Businesses Reduce the Risk of Data Breaches

Prevention is always better than a cure. Businesses should adopt robust data protection measures, such as:

  • encrypting personal data,
  • ensuring staff receive regular training on data handling;
  • implementing multi-factor authentication on systems that store sensitive information;
  • conducting periodic data protection impact assessments (DPIAs) to help identify weak points in your processes; and
  • maintaining an incident response plan will help your organisation to act quickly and efficiently in the event of a breach, therefore limiting damage and ensuring compliance with reporting obligations.

Key Takeaways

Following data protection rules can reduce the likelihood of needing to report a data breach to the ICO. However, if they occur, it is important to comply with the 72-hour deadline. Your business must assess whether the breach involves personal data and whether it risks individual rights and freedoms, and report to the ICO accordingly. If you need help with data protection rules and data breach notifications to the ICO, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

What is the maximum fine the ICO can issue for a data breach?

For serious breaches, the ICO can fine up to £17.5 million or 4% of global annual turnover, whichever is higher. Less serious breaches carry a maximum of £8.7 million or 2% of global annual turnover.

Do I need to keep a record of breaches I decide not to report?

Yes. UK GDPR requires you to document all personal data breaches, including those you do not report. Record the facts, the effects and the action taken, so the ICO can verify your decision if asked.

Does my business need a data protection officer?

You must appoint one if you are a public authority, or if your core activities involve large-scale regular monitoring or large-scale processing of special category data. Many businesses appoint one voluntarily to manage compliance and breach response.

What are my obligations if I am a data processor, not a controller?

A processor must notify the controller without undue delay after becoming aware of a breach. The controller, not the processor, reports to the ICO. Your contract should set out how and when you escalate breaches.

Register for our free webinars

AI at Work: Privacy Risks That Could Expose Your Business

Online
AI tools bring new privacy, regulatory, and IP risks. Learn what to watch for and how to manage them.
Register Now

Sexual Harassment: What Every Business Needs to Know Now

Online
Join our free webinar to understand new sexual harassment laws, your obligations as an employer, and how to protect your business.
Register Now

2026 Legal Changes: What In-House Counsel Need to Act on Now

Online
Learn how 2026 UK legal reforms may affect in-house legal teams, from employment and governance to data and consumer law.
Register Now

Director Duties 101: What Every Director Needs to Know

Online
Understand your duties as a company director and how they apply to key decisions when growing a startup. Register for free today
Register Now
See more webinars >

Tom Khalid

Trainee Solicitor | View profile

Tom is a trainee solicitor at LegalVision. He studied History at the University of Leeds before completing the PGDL at the University of Law.

Qualifications: Postgraduate Diploma in Law, University of Law, Bachelor of History, University of Leeds. 

Read all articles by Tom

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

4 Common Challenges Your Company Will Face With the GDPR in the UK

‘DPA’ Meaning: Key Data Protection Legal Considerations for Businesses

Can the ICO Fine My Non-UK Business?

3 Documents Your Company Needs to Demonstrate GDPR Compliance

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards