UK GDPR: Data Breach Response: does it apply to you?
UK General Data Protection Regulation (UK GDPR), Article 33
When this applies
If you suffer a data breach (e.g. a hack, accidental disclosure, or lost device), you may need to report it to the ICO within 72 hours. You should document a basic response procedure before a breach happens, not after.
When it does not apply
Data breach reporting obligations apply to controllers of personal data. Not applicable if you do not hold personal data.
What is at stake
Failure to report a notifiable breach within 72 hours is itself a breach. Fines up to £17.5M or 4% of global turnover.
What to do
Document a basic breach response procedure. Know that personal data breaches likely to result in risk to individuals must be reported to the ICO within 72 hours.
Check all 27 regulations for your business
This is one of 27 checks getsorted runs. Answer around 12 questions and see your full compliance picture in three minutes. Free, no account.
Check your business →Reviewed: 2026-06-25 · Source: official guidance