Answer

Does a data breach need to be reported to the ICO?

A personal data breach likely to risk people’s rights must be reported to the ICO, usually within 72 hours of becoming aware — high-risk breaches also require notifying the individuals. Not every breach is reportable, but assess every one.

2 min read

72 hoursUsual deadline
Risk testTriggers it
High riskTell individuals

The reporting rule

Under UK GDPR, a personal data breach that is likely to result in a risk to individuals’ rights and freedoms must be reported to the ICO, generally within 72 hours of you becoming aware of it. If the risk is high, you must also notify the affected people.

What to do

Assess every breach, contain it, document what happened, and report if the risk threshold is met — under-reporting a serious breach carries penalties. Good controls and staff awareness cut both the frequency and the fallout.

What it means for you

Credicorp lends to your company, not to you personally, and takes no personal guarantee. See business loans or apply online.

Frequently asked questions

Do I have to report every data breach?

No — only breaches likely to risk individuals’ rights. But you must assess and document every breach so you can justify the decision.

What is the deadline to report to the ICO?

Usually 72 hours from becoming aware of a reportable breach. High-risk breaches also require you to notify the affected individuals.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.