Report a data breach

A personal data breach happens when data has been accidentally or unlawfully:

  • lost
  • destroyed
  • changed
  • accessed

This could happen, for example, if someone:

  • loses a computer that contains personal data
  • sends personal data to the wrong person
  • accesses data they are not authorised to

You can read more about what a personal data breach is on the ICO website.

A data breach can be accidental or unlawful.

You should have a process in place so that everyone knows how to respond to a breach. This is known as a response plan.

If you need to report a breach to the ICO, you must do so within 72 hours of first finding out – even if this is outside working hours.

How to report a data breach

Report a data breach to the ICO by phone or online

When to report a data breach

You don’t always have to report a data breach to the ICO. You’ll need to assess each case individually and look at the potential negative consequences it could have on the person affected – the data subject.

It will depend on:

  • how sure you are a breach has happened
  • what level of risk the breach poses to data subjects
  • what category of data has been breached (how sensitive it is)

When there’s no need to report

If you decide the breach is unlikely to result in a risk to people, you don’t need to report it. This might be, for example, if contact details are accidentally deleted but the information did not include passwords or financial data.

You’ll still need to keep a record of details of the breach and why:

  • you chose not to report it
  • you thought it did not pose a significant risk to the data subject

When you need to report to the ICO

You should report to the ICO if the potential impact on people would include a risk to their rights and freedoms. For example, it could result in:

  • emotional or physical distress
  • financial loss
  • loss of reputation
  • other emotional or social disadvantages

When you also need to tell the people affected

If you decide that there’s likely to be a high risk to the people affected you’ll need to tell the data subject as soon as possible as well as the ICO. This will give them a chance to protect themselves from any negative impacts.

This will also be the case if the information contains sensitive (special category) personal data or data on criminal convictions.

Sensitive personal data could be, for example:

  • political opinion
  • religious beliefs
  • health
  • sex life or orientation

It’s considered high risk because it could lead to:

  • discrimination
  • identity theft or fraud
  • financial loss
  • damage to reputation 

When you tell data subjects about the breach you should write in a way they can easily understand.

Read the ICO’s guidance on what to tell the people affected

You could be fined up to 2% of your global turnover if you don’t report a breach when you should and a further 4% for the breach itself.

Recording a data breach

You should keep your own record of all personal data breaches in an inventory or log. It must contain:

  • the facts about the breach
  • the effects of the breach
  • action taken