Does every data breach need to be reported to the ICO?

No. Only breaches that are likely to result in a risk to the rights and freedoms of individuals must be notified to the ICO. All breaches — including those not notified — must be recorded in the organisation's internal breach log, with a documented assessment of why notification was or was not required.

When must you notify individuals about a data breach?

Under UK GDPR Article 34, if a breach is likely to result in a high risk to individuals, you must notify those individuals directly without undue delay. This is a higher threshold than the ICO notification threshold — not all breaches that require ICO notification also require individual notification.

Breach response · Articles 33 & 34 UK GDPR

Data breach notification to the ICO — the 72-hour rule

Q: How quickly must you report a data breach to the ICO?

Under UK GDPR Article 33, a personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of becoming aware of it. If the notification cannot be made within 72 hours, it must be accompanied by reasons for the delay.

Updated April 2026 UK GDPR Articles 33 & 34 ICO aligned

A personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the ICO within 72 hours of the organisation becoming aware of it. The procedure for identifying, assessing, and notifying breaches must be established before one occurs — not improvised in the moment. This guide covers when notification is required, what it must contain, and how to build a breach response capability.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

⚠ 72 hours — and the clock starts when you become aware

The 72-hour period begins when the organisation first becomes aware of the breach — not when the investigation is complete, not when the cause is identified. A processor discovering a breach must notify the controller without undue delay; the 72-hour clock on controller notification to the ICO then begins. You cannot wait until you understand the full extent of a breach before notifying.

What is a personal data breach

Article 4(12) of UK GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This is deliberately broad. A breach is not just a hack — it includes sending an email to the wrong recipient, leaving a laptop on a train, accidentally deleting records without backup, or a member of staff accessing data they are not authorised to view.

Three types of breach are recognised: a confidentiality breach (unauthorised or accidental disclosure or access), an integrity breach (unauthorised or accidental alteration), and an availability breach (accidental or unauthorised loss of access to or destruction of data). All three trigger the same assessment and documentation obligations.

Source: UK GDPR Article 4(12); ICO Personal data breach guide

When ICO notification is required

Not every breach must be reported to the ICO. Article 33(1) requires notification where the breach is likely to result in a risk to the rights and freedoms of natural persons. Where a breach is unlikely to result in such risk, notification to the ICO is not required — but the breach must still be recorded internally.

The ICO's guidance identifies several factors relevant to the risk assessment: the nature of the personal data (special category data carries higher risk), the number of individuals affected, the likely consequences for individuals (discrimination, financial loss, identity theft, reputational damage, physical harm), and whether the data is already publicly available. A risk assessment must be documented — a bare assertion that a breach was low risk is insufficient.

ℹ Breach documentation is required regardless

Under Article 33(5), all personal data breaches must be documented — including those for which ICO notification was not required. The breach log should contain the facts of the breach, its effects, and the remedial action taken. The ICO may request this log as part of an investigation or supervisory activity. An organisation without a breach log will find it difficult to demonstrate accountability.

The 72-hour requirement

Where a breach requires ICO notification, it must be made within 72 hours of the controller becoming aware of the breach. The 72 hours runs continuously — including weekends and bank holidays. If the full notification cannot be provided within 72 hours, a partial notification must be submitted within that timeframe, with the remaining information provided in phases as soon as possible.

Article 33(4) explicitly permits phased notification: the controller must provide as much information as is available within 72 hours, with further information provided without undue delay. The notification should be accompanied by the reasons for the delay if the full information is not available at the time of notification.

Source: UK GDPR Article 33(1), 33(4); ICO data breach reporting guidance

What the notification must include

Article 33(3) sets out the mandatory content of a notification to the ICO:

A description of the nature of the breach, including the categories and approximate number of individuals affected and the categories and approximate number of personal data records concerned
The name and contact details of the Data Protection Officer or other contact point from whom more information can be obtained
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach and, where appropriate, to mitigate its possible adverse effects

The ICO notification is made through the ICO's online breach reporting tool. All notifications are assessed by the ICO, and serious breaches may trigger an investigation regardless of whether the notification was prompt and complete.

Source: UK GDPR Article 33(3); ICO breach reporting tool

When to notify individuals

Article 34 imposes an additional obligation to notify the affected individuals where a breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than the ICO notification threshold. Not every breach that requires ICO notification also requires individual notification — but where the high-risk threshold is met, notification to individuals must be made without undue delay.

Individual notification must describe the nature of the breach in plain language, provide the contact details of the DPO or equivalent, describe the likely consequences, and describe the measures taken. It must be addressed to individuals directly — a general announcement on a website does not meet the requirement unless direct communication is impossible.

Three circumstances allow individual notification to be omitted even where high risk is established: the data affected was encrypted or otherwise rendered unintelligible; subsequent measures have eliminated the high risk; or direct notification would involve disproportionate effort, in which case a public communication or equivalent must be made instead.

Source: UK GDPR Article 34

Processor obligations

Where a data processor becomes aware of a breach affecting data processed on behalf of a controller, Article 33(2) requires the processor to notify the controller without undue delay — in practice, as quickly as possible given that the controller's 72-hour clock to the ICO begins from the moment of awareness. The processor-to-controller notification timeline must be specified in the Data Processing Agreement (Article 28(3)(f)).

As a data controller, you must therefore check every DPA you have executed to confirm that breach notification timelines are specified, and that they are fast enough to allow you to investigate and notify the ICO within 72 hours if required.

Building a breach response capability

The ICO does not expect organisations to prevent every breach. It expects them to have a documented response plan, a breach log, trained staff, and a clear escalation procedure — and to be able to demonstrate all of these on request. An organisation that discovers a breach and has no plan, no log, and no designated contact point will face significantly more scrutiny than one that reports promptly and can show its procedure was followed.

A breach response plan must cover: how breaches are detected and reported internally; who assesses severity and makes the notification decision; who is responsible for ICO notification and individual notification where required; how the breach log is maintained; and how the incident is reviewed after closure to prevent recurrence. A tabletop simulation — testing the plan against a realistic scenario — is the standard by which the ICO assesses whether a response plan is genuinely operational rather than theoretical.

Record this. Maintain a breach log from day one — not from the day your first breach occurs. Every incident, even those that do not require ICO notification, must be logged with the facts, the risk assessment, the decision, and the date. This is the primary evidence the ICO requests when investigating breach notification failures.

Not legal advice. This guide is derived from UK GDPR Articles 33 and 34, DPA 2018, and ICO published guidance as at April 2026. Breach notification obligations are highly fact-specific. Consult a qualified solicitor or data protection practitioner for advice on individual incidents, particularly where high-risk data is involved. Consult a qualified solicitor for advice specific to your organisation.