Reporting a UK data breach
Decision tree for the 72-hour ICO notification, what evidence to keep, and when to also notify the affected individuals.
Under UK GDPR you must notify the ICO of a personal-data breach within 72 hours of becoming aware of it — but only if there's a likely risk to people's rights and freedoms. Notifying everything 'just in case' wastes the regulator's time and yours.
The trickier judgement is when to also notify the affected individuals directly. The bar there is 'high risk', which is judged on the data type, the number of people affected and whether any mitigating controls (e.g. encryption-at-rest with the keys still safe) were in place.
This pillar walks an SMB through that decision tree, what evidence to preserve, and the parallel notifications you may owe to Action Fraud, your insurer and your customers.
Tools that fit this pillar
Free interactive checks you can run right now — no account required.
SMB cyber risk self-assessment
A 15-minute, plain-English self-assessment for small businesses — with a printable PDF report mapped to Cyber Essentials.
Why here: Use this proactively to know which data you'd lose first.
Domain breach lookup
Find out which known data breaches affected a domain you own.
Why here: Check whether email addresses you hold appear in known breaches.
Authoritative sources
We point you at the originals — government, regulator and standards bodies. Bookmark these.
- ICO — personal data breaches ↗
- Action Fraud (UK) ↗
Police reporting line for cyber-enabled crime.
- NCSC — incident management ↗
Looking for something else? Browse all guides or jump straight to the tool index.