Data breaches are on the rise, and pose a significant risk to businesses in the modern day.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Data breaches may be caused deliberately, for example by cyberattacks, or may be the result of human error or system failures.
The consequences of data breaches can be far-reaching, impacting the individuals whose data has been breached, damaging the reputation of the business involved and may also result in a hefty fine from the UK’s Information Commissioner’s Office (“ICO”).
It is therefore crucial for businesses, regardless of their size, to understand what a data breach is and how to respond to such an event. This article considers the reporting obligations of UK businesses which have suffered a data breach, based on the updated guidance from the ICO. This guidance was last updated in May 2025 to emphasise the need for organisations to ‘report early’ and ‘update later’.
Under the UK GDPR, businesses are required to report certain data breaches to the ICO.
Once aware of a data breach that has taken place or may take place, businesses should consider the potential negative consequences for individuals involved. The key question to consider in determining if the breach needs to be reported to the ICO is – is the data breach likely to result in a risk to the rights and freedoms of individuals?
Businesses should assess the risk to individuals that a data breach poses, factoring in the severity or substance of those consequences, and how likely those consequences are to happen. Guidance suggests that risk exists when the breach may lead to physical, material or non-material damage for the individuals whose data has been breached.
To assist in carrying out this risk assessment, the ICO has an online self-assessment tool which can be used to give an indication as to whether a business needs to report a breach to the ICO. Businesses may also call the ICO’s personal data breach line on 0303 123 1113 for advice.
If a data breach is reportable, businesses must take a proactive approach and report to the ICO without undue delay, i.e. as soon as possible. In any event, a report should be made within 72 hours of becoming aware of the breach. If a notifiable breach is reported to the ICO following the 72 hour period, the ICO will require reasoning for this delay.
Reports should be made using the ICO’s online form. This form takes approximately 30 minutes to fill out. This will require businesses to input relevant information about the nature of the breach, list the people that are affected and what action has and will be taken as a result of the breach.
Businesses must include as much detail and accuracy as is possible in the report, even if the information may change in future. Any information uncovered at a later date should also be provided to the ICO without undue delay. The ICO will then use this information to determine next steps, to understand the breach and the mitigations that were in place, and to consider any potential failure or lack of controls/processes.
Following a report, the ICO may use investigative and/or enforcement powers under data protection law. ICO guidance also sets out that they may share information provided by businesses with law and cybercrime agencies, regulators like the Financial Conduct Authority, or relevant regulatory representatives of another country, should this be necessary.
For ‘high risk cases’, being scenarios where the risk to the rights and freedoms of the people the data breach could affect be high, businesses must also notify individuals affected by the breach ‘without undue delay’.
In accordance with ICO guidance, businesses should ensure that they implement robust data breach detection, investigation and internal reporting procedures. This will assist the business with risk assessment and deciding whether a report needs to be made, in a timely manner. This may include having response plans in place or having an individual with the business who is responsible for managing breaches. Businesses must also keep a record of any personal data breaches, regardless of whether a report is made.
Businesses should be aware that a failure to notify the ICO of a breach when required to do so may result in a significant fine of up to £8.7 million or 2% of a business’ global turnover, and can be combined with other corrective powers of the ICO. This underscores the importance of assessing the risks posed by a data breach and reporting to the ICO where appropriate.
The ICO has also published detailed guidance to assist businesses in dealing with personal data breaches and had produced a simple guide for small companies and sole traders setting out seven steps to follow when responding to a breach in the first 72 hours.
For more information, please contact our privacy and data team.
