UK GDPR data breach reporting (DPA 2018)

Do I need to report a breach?

If you are unsure whether your organisation needs to report a breach to the ICO, use our self-assessment tool or read our examples.  

We have a simple guide about how to respond to a breach in the first 72 hours to help small companies and sole traders. 

We also have a detailed guide about how to manage a breach, including risk assessments and informing individuals.

How do I report a breach?

You can report a breach online. The online form should take approximately 30 minutes to complete. Please ensure you have all the details regarding the breach ready before you start – you can't save the form and return at a later date.

Or complete our downloadable form to report a breach. 

What information will I need to provide?

We'll ask you questions about:

• what has happened;
• when and how you found out about the breach;
• the people that have been or may be affected by the breach;
• what you are doing as a result of the breach; and
• who we should contact if we need more information and who else you have told.

You should ensure the information provided is accurate and supply us with as much detail as possible. We'll send you a copy of the information you give us.

What happens when we report a breach to the ICO?

We recognise that a detailed understanding of what happened may take time, however it is important that we receive a factually accurate account as soon as possible. 

We understand that it may not be possible for you to provide a full and complete picture of what has happened within the 72-hour reporting requirement, especially if the breach is complex and possibly ongoing. However, you’re legally required to meet this timeframe and you should provide whatever relevant information you have to us at this stage. You can provide any additional details to us at a later stage, as long as you do this without undue delay.

Following a breach, you should always reflect and consider any lessons learned. In particular, whether your risk assessment process is comprehensive enough, as well as how effective your mitigations and controls are.

How do we work with the ICO?

When you’ve had a personal data breach, you must assess the likely risk to people’s rights and freedoms.

If a risk is likely, you must notify us, as soon as possible, and where feasible within 72 hours. Being open and transparent with us at an early stage allows us to deal with the breach efficiently and ensures that we can help you protect personal information.

If the risk to people is high, you must also notify those people without undue delay.

Our role is to uphold information rights and help to protect people’s personal information. By working with organisations to comply with the law and providing appropriate support when breaches occur, we can help to ensure that organisations get it right in future.

What's next?

When reporting a breach, you should give as much detail as possible and be as accurate as you can, even if information is likely to change.

We will use the information you provide to: 

• decide what should happen next;
• better understand the cause of any breach; 
• understand the mitigations you had in place; and 
• understand the potential failure or lack of any controls or processes. 

Depending on the impact of the breach, we may decide to use our investigative or enforcement powers, or both, under data protection laws. The information you provide may also help us to identify data security incident trends.

Where appropriate, we may share the information you provide with law and cybercrime agencies or other regulators, such as the Financial Conduct Authority. If an incident is relevant to another country, we may also share the information with appropriate regulatory representatives in that country. Let us know if you’d like more information about this.

You should also consider notifying other relevant parties about the breach, such as: 

• your insurer; 
• law enforcement agencies; and 
• the National Cyber Security Centre (NCSC), if the breach was caused by a malicious actor.

How do we respond to a cyber incident? 

Unless you can’t access your system, you should report cyber incidents online.

If you’ve experienced a cyber incident you can report to the NCSC. The NCSC is the UK’s independent authority on cyber security, providing cyber incident response to the most critical incidents affecting the UK. To help you decide, you should read the NCSC’s guidance about its role and the type of incidents that you should consider reporting to them.

When an incident occurs that you believe may have criminal intent, you should consider reporting this to Action Fraud – the UK’s national fraud and cybercrime reporting centre. If your organisation is in Scotland, then you should make a report to Police Scotland.

Where appropriate, we may liaise with the above organisations about the incidents reported to us. However, it is your responsibility to notify all appropriate organisations.