Folelse

Product

Features Live Demo Pricing Roadmap

NHS & Compliance

DSPT Guidance NHS Data Guide ICO Resources Free DPA Template

Resources

Blog Resource Hub FAQ

Company

About System Status
Support
Log in Get started free
Back to Blog
Breaches 2 Dec 2025 9 min read

The 72-Hour Rule: A Practical Guide to ICO Breach Notification

When a personal data breach occurs, you have 72 hours to notify the ICO if it is likely to result in a risk to individuals' rights and freedoms. But what counts as a notifiable breach, and what information do you need to provide?

FC

Folelse Team

Folelse

Under Article 33 of UK GDPR, controllers must notify the ICO of a personal data breach 'without undue delay' and, where feasible, within 72 hours of becoming aware of it — if the breach is likely to result in a risk to the rights and freedoms of individuals. This obligation, introduced in 2018, remains one of the most misunderstood and misapplied requirements in data protection law. This guide explains what it means in practice.

What is a Personal Data Breach?

UK GDPR defines a personal data breach as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed'. This is broader than many organisations realise — it includes:

  • Ransomware attacks that encrypt personal data
  • Accidental email disclosure (sending personal data to the wrong recipient)
  • Lost or stolen devices or paper records containing personal data
  • Unauthorised access by a current or former employee
  • Data accidentally deleted without a backup
  • A third-party processor suffering a breach affecting your data

Not every breach needs to be reported to the ICO. The notification obligation only applies where the breach is 'likely to result in a risk to the rights and freedoms of natural persons'. Low-risk incidents — for example, a staff rota accidentally sent to a colleague who should not have seen it — may not meet this threshold, but they should still be documented.

When Does the 72 Hours Start?

The clock starts when the controller 'becomes aware' of the breach. The ICO has been clear that this does not mean when you have complete information — it means when you have reasonable certainty that a breach has occurred. You are not expected to have the full picture within 72 hours; you must notify the ICO with what you know and update the notification as further information becomes available.

In practice, this means: if your IT team identifies a ransomware infection at 10am on Monday, the 72-hour window runs from that point. You do not need to wait until your IT forensics report is complete before notifying.

What Must You Tell the ICO?

Article 33(3) of UK GDPR specifies the minimum information that must be provided in a breach notification:

  • The nature of the breach, including where possible the categories and approximate number of individuals and personal data records concerned
  • The name and contact details of the Data Protection Officer (or other contact point)
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach, including any measures to mitigate its possible adverse effects

Notifications are made through the ICO's online reporting tool. If you cannot provide all the information within 72 hours, provide what you have and indicate that further information will follow. The ICO prefers an initial notification with partial information over a delayed notification with complete information.

When Must You Notify Affected Individuals?

Article 34 of UK GDPR requires you to notify affected individuals 'without undue delay' where the breach is likely to result in a high risk to their rights and freedoms. This is a higher threshold than the ICO notification requirement.

High-risk breaches typically involve: sensitive data (health, financial, criminal records, biometric data), large numbers of individuals, data that could enable identity theft or fraud, or data relating to vulnerable individuals.

The individual notification must be in clear and plain language and must describe: the nature of the breach, the likely consequences, the measures taken, and how individuals can protect themselves. You do not need to notify individuals if the data was encrypted, if you have taken steps that eliminate the high risk, or if individual notification would require disproportionate effort (in which case a public communication may substitute).

The Internal Record-Keeping Obligation

Regardless of whether a breach meets the ICO notification threshold, Article 33(5) requires controllers to document all personal data breaches — including those that don't require ICO notification. This breach register must include: the facts of the breach, its effects, and the remedial action taken. The ICO may request to see this register as part of an audit or investigation.

Folelse includes a built-in breach register and ICO notification workflow. Log a breach, assess its risk level, and generate a pre-populated notification report — all within the platform.

Start free trial

More from the blog

View all
DSPT 14 Feb 2026

DSPT 2025/26: Key Changes and What They Mean for NHS Organisations

NHS England has updated the Data Security and Protection Toolkit for 2025/26. We break down the new mandatory assertions, changes to the cyber security area, and what evidence you need to gather before the June submission deadline.

Read more
SARs 28 Jan 2026

Five Common SAR Mistakes — and How to Avoid Them

Subject Access Requests are the most common data protection complaint to the ICO. We look at the five most frequent mistakes organisations make — from missing the one-month deadline to over-redacting — and how to build a compliant process.

Read more