When a data breach occurs, the clock starts ticking immediately. Under UK GDPR, you have just 72 hours to report certain breaches to the ICO—and that window can feel impossibly short when you're also trying to contain the incident, assess the damage, and protect affected individuals. This guide provides a clear, step-by-step protocol for those critical first hours.

The 72-Hour Rule

Article 33 of the UK GDPR requires you to notify the ICO of a personal data breach within 72 hours of becoming aware of it—unless the breach is unlikely to result in a risk to individuals' rights and freedoms. This isn't 72 business hours; it includes weekends and bank holidays.

What Counts as a Personal Data Breach?

A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This is broader than many people realise and includes:

  • Confidentiality breaches: Unauthorised access or disclosure (e.g., email sent to wrong recipient, hacking)
  • Integrity breaches: Unauthorised alteration of data (e.g., records modified maliciously)
  • Availability breaches: Loss of access to data (e.g., ransomware attack, accidental deletion without backup)

It's important to note that a breach doesn't have to involve malicious activity—accidental incidents count too. Sending a spreadsheet of employee data to the wrong person is just as much a breach as a sophisticated cyber attack.

The Four Phases of Breach Response

Effective breach response follows a structured approach. While these phases may overlap in practice, thinking about them separately helps ensure nothing is missed.

1 Identification & Containment

The moment you become aware of a potential breach, containment becomes your immediate priority. Your goals are to stop the breach from continuing and preserve evidence for investigation.

Key actions:

  • Isolate affected systems if safe to do so
  • Revoke compromised credentials
  • Block malicious IP addresses or accounts
  • Preserve logs and evidence (don't destroy anything)
  • Document everything with timestamps

Don't: Panic and shut down everything, delete potentially compromised files, or attempt fixes that might destroy forensic evidence.

2 Assessment & Investigation

Once contained, you need to understand what happened. This assessment directly informs your notification decisions.

Key questions to answer:

  • What personal data was affected?
  • How many individuals are affected?
  • What categories of data are involved (especially special category data)?
  • How did the breach occur?
  • Has the data been accessed, copied, or disclosed?
  • What are the likely consequences for affected individuals?

3 Notification

Based on your assessment, determine whether notification is required—to the ICO, to affected individuals, or both.

Notify the ICO if: The breach is likely to result in a risk to individuals' rights and freedoms.

Notify individuals if: The breach is likely to result in a high risk to their rights and freedoms.

We'll cover the notification thresholds in detail below.

4 Review & Remediation

After the immediate crisis, conduct a thorough review to prevent similar incidents.

Key activities:

  • Root cause analysis
  • Update security measures
  • Review and improve incident response procedures
  • Staff training where relevant
  • Document lessons learned

Hour-by-Hour: The First 72 Hours

Here's a practical timeline for managing the critical first 72 hours after discovering a breach:

Hour 0-1: Immediate Response

Confirm and Contain

Verify the breach is real. Activate your incident response team. Begin containment measures. Start your breach log with precise timestamps.

Hours 1-4: Initial Assessment

Understand the Scope

Identify what data and systems are affected. Estimate the number of individuals impacted. Determine if special category data is involved. Brief senior management.

Hours 4-12: Detailed Investigation

Gather Evidence

Work with IT/security to understand how the breach occurred. Preserve forensic evidence. Continue documenting findings. Begin risk assessment.

Hours 12-24: Risk Assessment

Evaluate Impact

Complete your risk assessment. Determine notification obligations. Prepare draft notification to ICO if required. Consider need for external support (legal, PR, forensics).

Hours 24-48: Notification Preparation

Prepare Communications

Finalise ICO notification. Draft communications for affected individuals if required. Prepare internal communications. Brief customer service teams.

Hours 48-72: Submit & Communicate

Execute Notifications

Submit ICO notification via their online portal. Send communications to affected individuals. Monitor for queries and media attention. Continue remediation efforts.

When Does the Clock Start?

The 72-hour window begins when you become "aware" of the breach. You're considered aware when you have a reasonable degree of certainty that a security incident has occurred that has compromised personal data. You can't artificially delay awareness by avoiding investigation.

Understanding Notification Thresholds

When to Notify the ICO

You must notify the ICO unless the breach is unlikely to result in a risk to individuals' rights and freedoms. In practice, most breaches involving personal data will meet this threshold. Consider:

  • The type and sensitivity of the data
  • The volume of data and number of individuals affected
  • The ease of identifying individuals from the data
  • The severity of consequences for individuals
  • Any special characteristics of the individuals (e.g., children, vulnerable people)
  • Whether the data was encrypted or otherwise protected

Examples likely requiring ICO notification:

  • Customer database accessed by hackers
  • Employee payroll data sent to wrong recipient
  • Loss of unencrypted laptop containing client records
  • Ransomware attack affecting access to patient records

Examples unlikely to require notification:

  • Email containing only a name sent to wrong person, quickly recovered
  • Loss of encrypted device where key is secure
  • Brief system outage with data fully restored from backup

When to Notify Individuals

The threshold for notifying individuals is higher—you must notify them when the breach is likely to result in a high risk to their rights and freedoms. This means there's a real possibility of significant harm, such as:

  • Identity theft or fraud
  • Financial loss
  • Damage to reputation
  • Discrimination
  • Physical harm
  • Significant emotional distress

You don't need to notify individuals if:

  • You've applied appropriate technical measures (like encryption) that render the data unintelligible
  • You've taken subsequent measures that ensure high risk is no longer likely
  • Individual notification would involve disproportionate effort (in which case, public communication is required instead)

How to Notify the ICO

ICO notifications should be submitted through their online reporting portal. You'll need to provide:

ICO Notification Requirements

  • Nature of the breach including categories and approximate numbers of individuals and records
  • Name and contact details of your DPO or other contact point
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate adverse effects
  • If notification is delayed beyond 72 hours, reasons for the delay

If you don't have all the information within 72 hours, you can provide information in phases. Make an initial notification with what you know, clearly stating it's incomplete, and follow up as more information becomes available.

Communicating with Affected Individuals

When individual notification is required, your communication should be clear, specific, and helpful. Include:

  • A clear description of what happened (in plain language)
  • What personal data was involved
  • The name and contact details of your DPO or contact point
  • Likely consequences of the breach
  • Measures you've taken to address the breach
  • Specific steps they can take to protect themselves

The last point is crucial—don't just tell people there's been a breach. Give them actionable advice: change passwords, monitor bank statements, be alert to phishing attempts, consider credit monitoring, etc.

Communication Tips

Communicate directly with affected individuals—don't rely solely on website announcements or press releases. Use clear, non-technical language. Be honest about what you know and don't know. Show empathy and take responsibility. Provide a clear point of contact for queries.

Documentation Requirements

Regardless of whether you notify the ICO, you must document all breaches. Article 33(5) requires you to maintain records of:

  • The facts relating to the breach
  • Its effects
  • The remedial action taken

This documentation must allow the ICO to verify your compliance. Keep records of:

  • When and how the breach was discovered
  • What containment measures were taken and when
  • Your risk assessment and reasoning
  • Your notification decision and rationale
  • All communications sent
  • Remedial actions and their implementation dates

Download Our Breach Assessment Checklist

Use our comprehensive checklist to document breaches and assess notification requirements.

Get the Checklist

Common Mistakes to Avoid

  • Delaying investigation to "buy time": The clock starts when you should reasonably have become aware. Delayed investigation won't extend your 72 hours.
  • Assuming encryption means no breach: Encryption is a mitigating factor but doesn't automatically mean there's no breach or no risk.
  • Over-notifying or under-notifying: Both can cause problems. Over-notification can cause unnecessary alarm; under-notification can lead to regulatory action.
  • Generic communications: Vague, legalistic breach notifications frustrate individuals and attract negative attention.
  • Failing to document non-notifiable breaches: Even breaches you don't report must be documented internally.
  • Not involving the right people: Breach response is cross-functional. Ensure legal, IT, communications, and senior management are involved appropriately.

Preparing Before a Breach Happens

The best time to plan your breach response is before you need it. Key preparatory steps:

  1. Create an incident response plan: Document clear procedures, roles, and escalation paths
  2. Identify your response team: Know who needs to be involved and how to reach them out of hours
  3. Prepare template communications: Draft notification templates that can be quickly adapted
  4. Run tabletop exercises: Practice your response with realistic scenarios
  5. Establish relationships: Know your contacts at the ICO, external legal counsel, and forensics providers before you need them
  6. Train staff: Ensure employees know how to recognise and report potential breaches

Conclusion

Data breaches are stressful, but a structured approach helps you meet your obligations while protecting affected individuals. Remember the key principles:

  • Act quickly but don't panic
  • Contain first, then assess
  • Document everything
  • When in doubt, err on the side of notification
  • Communicate clearly and helpfully
  • Learn from every incident

The 72-hour deadline can feel daunting, but with proper preparation and a clear process, it's achievable. And remember: the ICO is generally more understanding of organisations that respond openly and responsibly than those that try to minimise or hide incidents.

"Personal data breaches can happen to any organisation. What matters is how you respond. Timely reporting, clear communication, and genuine efforts to mitigate harm all count in your favour."

— Information Commissioner's Office