How long do I have to report a data breach UK?
Under UK GDPR, you must report a personal data breach to the ICO within 72 hours of becoming aware of it — if it's likely to result in a risk to people's rights and freedoms. The clock starts when you (as an organisation) become aware, not just when it's confirmed.
Full answer
The 72-hour reporting obligation under UK GDPR is one of the most time-sensitive compliance requirements businesses face. Here's what you need to know:
When does the clock start? The 72 hours begins when your organisation becomes 'aware' of the breach. In practice, that's when someone in your business identifies that a breach has likely occurred — not when you've finished investigating it. If you're uncertain, err on the side of reporting.
- Loss or theft of sensitive personal data (health, financial, criminal records)
- Accidental publication of personal data
- Ransomware attacks affecting personal data
- Emails sent to the wrong person containing personal data
What if you miss the 72 hours? You can still report after 72 hours — provide the reasons for the delay. Late reports are better than no reports. The ICO takes into account good faith efforts to report.
Do you also need to notify the individuals affected? If the breach is likely to result in a high risk to individuals, you must also notify the affected people 'without undue delay'. This is a separate obligation from the ICO notification.
You must always keep a record: Even for breaches you don't report to the ICO (because the risk is low), you must log the breach internally. Keep a breach register — this shows the ICO you have a process in place.
How to report: Use the ICO's online breach reporting tool at ico.org.uk.
Get compliance answers specific to your business
Alice monitors your sector, alerts you to changes, and answers your questions — inside ComplianceAlert.
Related questions
How long do I have to respond to a subject access request?
Under UK GDPR, you have 1 calendar month from receipt of a valid subject access request (SAR) to respond. You can extend this by a further 2 months for complex or numerous requests — but you must tell the individual within the first month that you're extending and why.
What are GDPR fines for small businesses UK?
The ICO can fine businesses up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious UK GDPR breaches. For less serious breaches, the cap is £8.7 million or 2% of turnover. In practice, small business fines are much lower, but they do happen.
Do I need to give an employment contract from day one?
Yes. Since April 6, 2020, employers must provide a written statement of employment particulars on or before the employee's first day of work. This replaced the old 2-month rule. Failure to do so is automatically an unlawful act.