template
GDPR Breach Response Template
A personal data breach response and log template for UK organisations: containment, risk assessment, the 72-hour ICO notification test and record-keeping.
Related service: Data Protection & UK GDPR
Use this template to record and manage a personal data breach under the UK GDPR and Data Protection Act 2018. Complete one record per incident. Remember: if the breach is likely to result in a risk to people’s rights and freedoms, you must notify the ICO without undue delay and within 72 hours of becoming aware of it. Where you cannot provide all details within 72 hours, you may provide information in phases. Replace every [bracketed] field with your own detail.
1. Incident summary
- Breach reference: [unique reference, e.g. BR-2026-001]
- Date and time breach discovered: [date / time]
- Date and time breach occurred (if known): [date / time]
- Reported by: [name / role]
- Recorded by: [name / role]
- Brief description of what happened: [what, how and which systems or records were involved]
2. Nature of the breach
- Type of breach: [confidentiality (unauthorised disclosure/access) / integrity (unauthorised alteration) / availability (loss or destruction)]
- How it happened: [e.g. email sent to wrong recipient, lost device, ransomware, misconfiguration, insider action]
- Categories of personal data involved: [e.g. names, contact details, health/care records, financial data]
- Special category or criminal offence data involved? [yes / no — describe]
- Approximate number of data subjects affected: [number]
- Approximate number of records affected: [number]
3. Containment and recovery
- Immediate actions taken to contain the breach: [e.g. recalled email, disabled account, isolated device]
- Actions taken to recover data or restore service: [describe]
- Person responsible for containment: [name / role]
- Date/time containment completed: [date / time]
4. Risk assessment
- Likely consequences for individuals: [e.g. distress, identity theft, financial loss, physical harm, discrimination]
- Severity of potential harm: [low / medium / high]
- Likelihood of harm: [low / medium / high]
- Overall risk to rights and freedoms: [none / low / high]
5. Notification decisions
- Is notification to the ICO required? [yes — likely a risk to rights and freedoms / no — document why not]
- 72-hour deadline (date/time): [breach discovered + 72 hours]
- ICO notified? [yes — date/time and reference / no — reason]
- Are affected individuals to be told? [yes — required where high risk / no — document why not]
- How and when individuals were informed: [method, date, wording]
- Any other bodies notified? [e.g. NHS England via DSPT, police, insurers, professional regulator]
6. Lessons learned and follow-up
- Root cause: [underlying reason the breach occurred]
- Preventive actions: [changes to process, training, technical controls]
- Action owner and due date: [name / date]
- Date incident closed: [date]
- Signed off by: [name / role]
Keeping this log alongside your wider information governance records also supports schemes like the DSPT — see our DSPT guides for how breach handling fits the annual cycle. We can tailor this template to your organisation as part of a fixed-fee engagement — see our data protection and GDPR service.