Help Centre

Under UK GDPR Article 33, you must notify the ICO within 72 hours of becoming aware of a personal data breach — but only if it is "likely to result in a risk to the rights and freedoms of individuals". Not every breach requires notification.

When must you notify the ICO?

Notification is required when the breach is likely to result in a risk to individuals, such as:

• Discrimination, damage to reputation, financial loss, or social disadvantage.
• Identity theft or fraud.
• Loss of confidentiality of data subject to professional secrecy.
• Any significant economic or social disadvantage.
• Significant physical harm.

When you do NOT need to notify the ICO

• The data was encrypted with a strong key and the key was not compromised.
• The data is already publicly available and its disclosure presents no additional risk.
• The breach is unlikely to result in any risk to individuals.
• For example: an internal email sent to the wrong internal team member, quickly recalled and confirmed not read.

When must you notify affected individuals?

Under Article 34, if a breach is likely to result in a HIGH risk to individuals (more severe than "risk"), you must also notify the affected individuals "without undue delay". This is a higher threshold than ICO notification.

What "72 hours" means

The 72 hours runs from when you become "aware" of the breach. For organisations, this is when a staff member with authority (not every employee) becomes aware. A junior employee's suspicion does not start the clock — it starts when you have reasonable certainty that a breach has occurred.