Data protection · 1 July 2026
Data breach reporting explained: the 72-hour rule under UK GDPR
Sooner or later, most organisations experience a personal data breach — an email sent to the wrong person, a lost laptop, or a system compromise. What matters under UK GDPR is how quickly and correctly you respond. This guide explains the rules and the steps to take.
What counts as a personal data breach
A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. It’s broader than many people expect. Examples include:
- Emailing personal data to the wrong recipient
- Losing a phone, laptop or paper file containing personal data
- A ransomware or hacking incident affecting your systems
- Sending a service user’s records to the wrong address
- A member of staff accessing records they have no reason to see
A breach isn’t only about data being stolen — losing access to data (for example, through ransomware) counts too.
The 72-hour rule
If a breach is likely to result in a risk to people’s rights and freedoms, you must report it to the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it.
That 72-hour clock starts when you become aware of the breach — not when you’ve finished investigating it. If you don’t yet have all the details, you can make an initial report and provide the rest in stages. If you report late, you must explain the reasons for the delay.
You only need to report where there is a risk to individuals. If a breach is genuinely unlikely to pose a risk — for example, data that was properly encrypted and remains inaccessible — you may not need to report it, but you must still record it internally.
When you must also tell the individuals
Where a breach is likely to result in a high risk to people’s rights and freedoms, you must also inform the affected individuals without undue delay, in clear and plain language, so they can take steps to protect themselves. In a care setting this must be handled sensitively, given the nature of the data involved.
A step-by-step response
1. Contain the breach
Act immediately to limit the damage — recall the email, disable the compromised account, or locate the missing device. Containment comes first.
2. Assess the risk
Consider what data was involved, how sensitive it is, how many people are affected and what harm could result. Health data raises the stakes considerably. This assessment determines whether you must notify the ICO, the individuals, both or neither.
3. Report if required
If the threshold is met, report to the ICO within 72 hours, giving the nature of the breach, the likely consequences, and the measures you’ve taken.
4. Record it
Keep a log of all breaches, whether or not they were reportable, including the facts, the effects and the action taken. The ICO can ask to see this record. Your RoPA and this breach log together demonstrate accountability.
5. Learn from it
Review what happened and put measures in place to stop it recurring — additional training, better access controls, or clearer processes.
Preparing before a breach happens
The organisations that handle breaches well are those that prepared in advance:
- A written breach response procedure everyone can follow
- Clear roles: who assesses, who decides, who reports
- Staff awareness so incidents are reported internally straight away (see our staff training guide)
- The ICO’s reporting details to hand, so no time is lost in the moment
For care providers, breach preparedness also supports the DSPT and CQC’s well-led expectations — see our UK GDPR in healthcare guide.
Deciding whether to report: a simple test
When a breach happens, the key judgement is whether it’s likely to result in a risk to individuals. To reach that judgement, weigh up:
- The type of data — health and other special-category data raises the risk considerably
- The volume — how many people are affected
- The sensitivity and context — could the disclosure cause distress, discrimination, financial loss or physical harm?
- Any mitigations — was the data encrypted, or recovered quickly?
If, on balance, there’s a real risk to people, report to the ICO. If the risk is high, tell the individuals too. If there’s genuinely no risk, record it internally and move on. When you’re unsure, the safer course is usually to report — the ICO would rather hear about a borderline case than discover a hidden one.
Why speed matters
The 72-hour deadline exists because prompt reporting lets both the regulator and affected individuals act before harm spreads. That’s why the clock starts on awareness, not on completing your investigation. Practically, this means your team must escalate suspected breaches internally the moment they notice them — even an hour’s delay in reporting a lost laptop can eat into the time you have. A short, well-understood escalation path is often the single most valuable part of a breach procedure.
Common mistakes
- Waiting until the investigation is complete before starting the 72-hour clock
- Failing to record breaches that weren’t reportable
- Under-reacting to “small” breaches involving sensitive health data
- Having no procedure, so staff don’t know who to tell
- Forgetting to tell affected individuals where the risk is high
How we can help
A calm, well-rehearsed response makes all the difference when a breach happens. We offer a clear, fixed-fee engagement that puts a practical breach procedure and log in place, trains your team to spot and escalate incidents, and supports you through assessing and reporting a live breach. To find out more, explore our data protection service or get in touch for a friendly, no-obligation chat.
Need help in practice? See our Data Protection & UK GDPR service.