Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Data breach reporting

6 min read

Last reviewed or updated 14/10/2025

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your GDPR documents

Get started

What is a personal data breach?

A personal data breach isn't just about hackers getting into your systems. Under UK data protection law (including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018), a data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In short, a data breach is a security incident that has affected the confidentiality, integrity, or availability of personal data

Personal data is any information that can be used to identify a living person, like a name, email address, or birthdate.

The breach does not have to be intentional or malicious. It can be something as simple as sending an email containing personal information to the wrong person or an employee leaving a laptop on a train.

 Infographic defining what a personal data breach is 

What are some examples of personal data breaches?

Data breaches come in many forms. Common examples include:

  • a cyber attack where hackers access your customer database

  • sending an email with sensitive personal details to the incorrect recipient

  • an employee losing a work laptop or USB stick containing personal data

  • paper records being stolen from an office or disposed of insecurely

  • a member of staff accessing personal data they aren't authorised to view

How do you know when a personal data breach has occurred?

Discovering a data breach isn't always straightforward. It might be obvious, like a notification from your IT security software, but often the signs are more subtle. A breach is typically identified in one of two ways: internally or externally.

Internal discovery happens when someone within your organisation spots the problem. This could be an employee realising they've sent an email to the wrong person, or your IT team detecting unusual activity on the network. Having robust internal policies (like an Information security policy) and staff training is key, as they encourage employees to report mistakes quickly so they can be dealt with.

External discovery is when someone outside your business alerts you to a problem. This could be a customer who has received someone else's data, a security researcher who has found a vulnerability in your system, a data processor (eg the company that provides your cloud hosting), or even the police. The moment you are told about a potential breach by a third party, you are considered to be 'aware' of it, and the 72-hour reporting clock starts.

How do you determine the risk of a data breach?

Once you know a breach has happened, you must quickly assess the risk it poses to people. This assessment will decide whether you need to report the breach to the ICO and/or to the individuals affected.

Your assessment should consider both the seriousness of the potential harm and the likelihood of that harm happening. You should ask yourself:

  • what type of data is involved? A breach involving sensitive personal data (like medical history or financial details) is much higher risk than a breach of publicly available information (like names and addresses)

  • how much data has been compromised? The more people affected, the higher the risk

  • who has the data now? There's a big difference between an email sent to a trusted colleague by mistake and data being posted on the dark web. If you know and trust the recipient, and you're confident the data has been deleted, the risk is lower

  • what is the potential harm? Think about the worst-case scenario. Could the data be used for identity theft? Could it cause someone financial loss, physical harm, or emotional distress? Could it damage their reputation or lead to discrimination

You must document your risk assessment in an internal breach log, recording the facts of the breach, the potential negative effects, and the reasons for your decisions on whether to report it.

When must you report a data breach to the ICO?

You don't need to report every single data breach to the Information Commissioner's Office (ICO), which is the UK's data protection regulator. Your duty to report depends on the level of risk the breach poses.

You, as the data controller (ie the organisation that decides how and why personal data is processed), must report a breach to the ICO if it's likely to result in a risk to the rights and freedoms of individuals. This means you need to assess the potential negative consequences for the people whose data has been compromised. This could include risks of identity theft, financial loss, discrimination, or emotional distress. If a breach poses this kind of risk, you must report it.

A case study infographic on data breaches and when they need to reported to the ICO

What is the 72-hour time limit?

If you decide a breach needs to be reported, you have 72 hours to do it from the moment you become aware of the breach. This time window starts as soon as you have a reasonable degree of certainty that a security incident has occurred and that it affects personal data.

If you can't provide all the details within 72 hours, you can still make an initial report and provide more information in phases. However, if you don't report within the timeframe, you must provide the ICO with a reason for the delay.

How do you handle a data breach?

Your response to a data breach should be two-fold: reporting it to the regulator (if required) and communicating with the people affected (if required).

Reporting to the ICO

You should report a notifiable breach to the ICO using their official data breach reporting form. The report should include:

  • a description of the breach, including the categories and approximate number of people and personal data records affected

  • the name and contact details of your data protection officer (if you have one) or another contact point

  • a description of the likely consequences of the breach

  • a description of the measures you've taken, or plan to take, to deal with the breach and reduce its effects

Informing affected individuals

You have a separate duty to inform people directly if the breach is likely to result in a high risk to their rights and freedoms. This high-risk threshold is higher than the one for notifying the ICO. You must tell the affected individuals without unnecessary delay.

However, you don't have to notify individuals if:

  • you've already protected the data (eg with strong encryption), making it unusable to others

  • you've taken immediate steps that have successfully removed the high risk to individuals

  • it would involve a disproportionate effort to contact everyone individually. In this situation, you must issue a public communication (like a prominent notice on your website) to inform people in an equally effective way

When you notify people, your message must include:

  • a description of what happened in clear and plain language

  • the name and contact details of your data protection officer or another contact person

  • a description of the likely consequences of the breach

  • the steps you're taking to deal with the situation and to reduce any negative effects

It's also good practice to give clear, specific advice on how people can protect themselves and explain what you're doing to help them (eg by requiring password resets, encouraging them to use stronger and more unique passwords, or telling them to look out for phishing emails or suspicious activity on their accounts).

In very specific and rare situations, such as to avoid interfering with a criminal investigation or to protect national security, you may be able to limit the amount of information you provide to individuals. For more information on this, Ask a lawyer.

What happens if you don't report a data breach?

Failing to comply with data breach reporting rules can have serious consequences. The ICO has the power to issue significant fines for infringements of the GDPR. The maximum fine is up to £8.7 million or 2% of your business's total annual worldwide turnover, whichever is higher.

While the highest fines are reserved for the most serious cases, even smaller compliance failures can result in enforcement action, reputational damage, and a loss of customer trust. It's always better to have clear procedures in place and to be transparent when things go wrong.

Checklist infographic listing the 5 first steps a business should take after a data breach

 

Having the right data protection policies in place is the best way to prevent breaches and show compliance with the law. You can make key legal documents like a Data protection policy and a Privacy policy with our suite of GDPR documents.

For more comprehensive help from a Legal Pro, use our GDPR compliance service to ensure you protect your business and your customers' data.

If you have any questions or need help managing a data breach, do not hesitate to Ask a lawyer.

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 14 October 2025

Related Guides

Data protection

8 min read

Information security and cyber security

7 min read

Data protection principles

9 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us