ICO timelines, roles and templates — know before you need them.
What you'll walk away with. ICO readiness checklist you can drop into your incident binder.
Was this useful?
Regulatory nuance
Breach reporting depends on facts — this tool checks organisational readiness, not whether a specific incident is notifiable. Always confirm with the ICO guidance or legal counsel when in doubt.
Self-assessment
Eight questions on ICO timelines, ownership, detection and templates. Download your JSON summary for the incident binder.
UK GDPR awareness
Q1 / 8
Without looking it up — within how many hours must a personal-data breach be reported to the ICO if it risks individuals’ rights?
Roles
Q2 / 8
Is it documented who has authority to declare a breach and submit the ICO notification?
Roles
Q3 / 8
If you have a DPO (or outsourced privacy lead), are escalation paths to them tested?
Detection
Q4 / 8
How confident are you that you would detect unauthorised access to personal data within days, not months?
Detection
Q5 / 8
Do you have a checklist to preserve evidence (logs, images) before remediation actions?
Preparedness
Q6 / 8
Do you hold templates for ICO notification, affected individuals, and regulator/registrar chains?
Processors
Q7 / 8
If a processor causes a breach, do contracts define timelines for them to notify you?
Culture
Q8 / 8
Have staff who handle personal data been told how and when to escalate a suspected breach?
Next up: jump to the first unanswered question.
