UK Data Breach Reporting: The 72-Hour ICO Rule
If your organisation suffers a personal data breach, UK GDPR Article 33 requires you to notify the Information Commissioner's Office within 72 hours of becoming aware of it, unless the breach is unlikely to put people at risk. Miss that without good reason and the failure is itself a fineable infringement.
This page covers the operational mechanics of breach reporting for organisations. For the wider UK framework (lawful bases, data subject rights, the Data (Use and Access) Act 2025, EU adequacy), see our United Kingdom data privacy laws overview.
What counts as a personal data breach
A personal data breach is broader than most people assume. The ICO defines it as a security incident affecting the confidentiality, integrity or availability of personal data, the three elements security professionals call the CIA triad. There is a breach whenever personal data is lost, destroyed, corrupted or disclosed without authorisation, whenever someone accesses or passes on data without authority, and whenever data is made unavailable, for example when ransomware encrypts it or a backup is accidentally deleted. A confidentiality breach is unauthorised disclosure or access. An integrity breach is unauthorised alteration. An availability breach is loss of access to, or destruction of, the data. Crucially, a breach can be accidental as well as deliberate: a misdirected email, a lost unencrypted laptop, or paper files left on a train all qualify. A security incident only becomes a personal data breach when it involves personal data, so the threshold question is always whether identifiable information was affected.
Watch out: temporary loss of access counts. If a system outage or a ransomware lock means you cannot reach personal data when you need it, that is an availability breach even if the data is eventually recovered intact.
When you must report to the ICO, and when you do not
Not every breach is notifiable. Under Article 33(1), you report unless the breach is "unlikely to result in a risk to the rights and freedoms of natural persons." In practice that means you must assess, for each breach, the likelihood and severity of harm to the people whose data is involved. Risk to rights and freedoms includes physical, material and non-material damage such as discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality, or any other significant economic or social disadvantage. If a risk to people is likely, you must report. If a risk is unlikely, you do not report to the ICO, but you must still record the breach internally. The ICO publishes a self-assessment tool and worked examples to help controllers reach a defensible decision, and runs a personal data breach advice line on 0303 123 1113 for organisations that are unsure.
The ICO's own examples illustrate the line. A lost unencrypted laptop holding unredacted sensitive case files is reportable, because the controller cannot rule out access and so cannot be sure people are not at risk. By contrast, a stolen device whose data was strongly encrypted, with no other copies compromised, may not meet the threshold. The test is not whether harm has occurred but whether it is reasonably likely.
The 72-hour clock and how it works
| Element | What Article 33 requires |
|---|---|
| When the clock starts | When you become "aware" that a breach has occurred, meaning you have a reasonable degree of certainty a security incident has compromised personal data, not the moment you have every detail |
| The deadline | Without undue delay and, where feasible, not later than 72 hours after becoming aware (Article 33(1)). The 72 hours run on calendar time, including weekends |
| Late reports | Permitted, but the notification must be accompanied by reasons for the delay (Article 33(1)) |
| Incomplete information | You may report in phases without undue further delay where you cannot provide everything at once (Article 33(4)) |
| Processor breaches | A processor must notify the controller without undue delay; the controller's clock generally runs from the controller becoming aware (Article 33(2)) |
You do not have to finish investigating before you report. If you suspect a notifiable breach but are still establishing the facts, it is better to make an initial report within 72 hours and supply further detail as your investigation progresses. The first practical step on discovering a breach is to contain it (for example, by recovering data, shutting down a compromised account, or attempting to recall a misdirected email) and then to assess the risk.
What the notification must contain
Article 33(3) sets out the minimum content of a report to the ICO. The notification must describe the nature of the breach, including, where possible, the categories and approximate number of individuals affected and the categories and approximate number of personal data records concerned. It must give the name and contact details of your data protection officer or other contact point where more information can be obtained. It must describe the likely consequences of the breach. And it must describe the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate any adverse effects on individuals. Reports are made through the ICO's online "report a breach" service, or by telephone for organisations that cannot use the online route. Because phased reporting is allowed, the approximate figures and best current assessment are acceptable in a first report; precise numbers can follow.
Telling affected individuals (Article 34)
| Notify the ICO (Article 33) | Notify individuals (Article 34) | |
|---|---|---|
| Threshold | Breach likely to result in a risk to rights and freedoms | Breach likely to result in a high risk to rights and freedoms |
| Deadline | Within 72 hours where feasible | Without undue delay |
| Form | Online report to the regulator | Direct communication to the individual, in clear and plain language |
| Content | Article 33(3)(a) to (d) | Nature of the breach plus Article 33(3)(b), (c) and (d) |
The high-risk threshold for telling individuals is deliberately higher than the threshold for telling the ICO, so a breach can be reportable to the regulator without triggering individual notification. Where it is triggered, the communication must be in clear, plain language and tell people what happened, who to contact, the likely consequences, and what you are doing about it, so they can take protective steps such as changing passwords or watching for fraud. Article 34(3) provides three exceptions where direct notification is not required: where you had applied appropriate protection measures, such as encryption, that render the data unintelligible to anyone unauthorised; where you have since taken steps ensuring the high risk is no longer likely to materialise; or where direct notification would involve disproportionate effort, in which case you must instead make a public communication or similar measure that informs people equally effectively. Under Article 34(4) the ICO can override a controller's decision and require individuals to be told.
Watch out: even if you rely on an Article 34 exception to avoid telling individuals, you may still have to report the breach to the ICO, and you must still document your reasoning.
The duty to document every breach
Article 33(5) requires controllers to document any personal data breach, comprising the facts of the breach, its effects, and the remedial action taken, in a way that lets the ICO verify compliance. This duty applies to all breaches, including those you assess as not notifiable. In practice that means keeping an internal breach register or log. The ICO recommends having a documented internal breach-reporting procedure so staff know how to escalate incidents quickly and so the organisation can make and record a defensible decision about whether to notify. A good register captures the date and time of discovery, what happened, the categories and rough number of people and records affected, your risk assessment and the reasoning for reporting or not reporting, whether the ICO and individuals were told, and the steps taken to contain and prevent recurrence. The register is itself accountability evidence: if the ICO investigates, it is how you show your decisions were reasonable.
Penalties for failing to report
Failing to notify the ICO when required is treated as an infringement in its own right, separate from whatever caused the breach. It falls in the standard tier, carrying a maximum fine of GBP 8.7 million or 2% of total worldwide annual turnover in the preceding financial year, whichever is higher. The underlying security failure that allowed the breach can attract the higher tier, up to GBP 17.5 million or 4% of global turnover, so a poorly handled breach can expose an organisation to penalties on more than one front. Beyond fines, the ICO can issue enforcement notices and reprimands. The practical lesson is that a prompt, honest report, even an incomplete one made within 72 hours, is far safer than a delayed or absent one.
Practical breach-response steps
- Detect and escalate fast. Have a clear internal procedure so any staff member knows who to alert the moment they suspect a breach; the 72-hour clock starts when the organisation becomes aware.
- Contain the incident. Recover data where you can, shut down compromised accounts or systems, and attempt to recall or delete misdirected information.
- Assess the risk to people. Use the ICO self-assessment tool to weigh likelihood and severity of harm and decide whether the breach is notifiable.
- Report to the ICO within 72 hours through the online service if a risk is likely, supplying the Article 33(3) information and reasons for any delay.
- Notify affected individuals without undue delay where the breach is likely to result in a high risk, unless an Article 34(3) exception applies.
- Record everything in your breach register, including breaches you decide not to report, and capture the lessons learned to prevent recurrence.
Frequently Asked Questions
How long do I have to report a data breach to the ICO?
Under UK GDPR Article 33(1), you must report a notifiable personal data breach to the Information Commissioner's Office without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The 72 hours run on calendar time, including weekends. If you report late, the notification must be accompanied by reasons for the delay. You do not have to finish investigating first; if you cannot provide all the information at once you can report in phases under Article 33(4).
When does the 72-hour clock start?
The clock starts when you become 'aware' of the breach, which the ICO treats as the point at which you have a reasonable degree of certainty that a security incident has occurred and compromised personal data. It is not the moment you have every detail. Where a data processor suffers the breach, the processor must tell you without undue delay under Article 33(2), and your time to report to the ICO generally runs from when you, the controller, become aware.
Do I have to report every data breach?
No. You only have to notify the ICO if the breach is likely to result in a risk to the rights and freedoms of individuals. If you assess that a risk is unlikely, you do not report it to the ICO. However, Article 33(5) still requires you to document the breach internally in your breach register, recording the facts, its effects, the remedial action taken, and your reasoning for not reporting.
What is the difference between reporting to the ICO and telling affected individuals?
They have different thresholds. You report to the ICO under Article 33 when a breach is likely to result in a risk to people's rights and freedoms. You must also tell the affected individuals directly under Article 34 only when the breach is likely to result in a high risk. The high-risk threshold is higher, so many breaches are reportable to the ICO without requiring you to contact individuals. When individual notification is required, it must be in clear and plain language and made without undue delay.
What information must a breach report to the ICO include?
Article 33(3) requires you to describe the nature of the breach, including, where possible, the categories and approximate number of individuals and personal data records affected; give the name and contact details of your data protection officer or other contact point; describe the likely consequences of the breach; and describe the measures you have taken or propose to take to address it and mitigate any adverse effects. Approximate figures and your best current assessment are acceptable in an initial report.
What counts as a personal data breach?
A personal data breach is a security incident affecting the confidentiality, integrity or availability of personal data. That covers personal data being lost, destroyed, corrupted or disclosed without authorisation, someone accessing or sharing it without authority, and data being made unavailable, for example through ransomware or accidental deletion. Breaches can be accidental as well as deliberate, so a misdirected email, a lost unencrypted laptop, or files left in a public place can all be breaches if they involve personal data.
Do I have to keep a record of breaches I decide not to report?
Yes. Article 33(5) requires controllers to document every personal data breach, including those assessed as not notifiable, recording the facts, the effects, and the remedial action taken. The ICO recommends keeping an internal breach register and a documented breach-reporting procedure. The register is accountability evidence: if the ICO ever investigates, it is how you demonstrate that your decision not to report a particular breach was reasonable.
What is the penalty for failing to report a data breach?
Failing to notify the ICO when required is a standard-tier infringement, carrying a maximum fine of GBP 8.7 million or 2% of total worldwide annual turnover, whichever is higher. This is separate from any penalty for the underlying security failure, which can fall in the higher tier of up to GBP 17.5 million or 4% of global turnover. The ICO can also issue enforcement notices and reprimands. Reporting promptly, even with incomplete information, is far safer than reporting late or not at all.
Sources and References
- UK GDPR Article 33, Notification of a personal data breach to the supervisory authority(legislation.gov.uk).gov
- UK GDPR Article 34, Communication of a personal data breach to the data subject(legislation.gov.uk).gov
- ICO, Personal data breaches: a guide(ico.org.uk).gov
- ICO, 72 hours: how to respond to a personal data breach(ico.org.uk).gov
- ICO, Personal data breach examples(ico.org.uk).gov
- ICO, Self-assessment for data breaches(ico.org.uk).gov
- ICO, The maximum amount of a fine under UK GDPR and DPA 2018(ico.org.uk).gov
- Data Protection Act 2018(legislation.gov.uk).gov