Data Breach
Response (UK GDPR)
When a data breach occurs, the clock starts. Survive the critical 72-hour ICO notification window under Article 33 with immediate, strategic legal intervention that protects your organization's reputation and limits financial liability.
The 72-Hour Legal Reality
A data breach is an operational crisis, but mishandling the regulatory notification transforms it into a legal catastrophe. Under the UK GDPR, the severity of an ICO fine is heavily influenced by how you respond in the immediate aftermath of an incident.
The law does not expect perfection—cyber attacks happen to the most secure organizations. However, the law demands transparency, speed, and accountability. Attempting to suppress a breach, or delaying notification beyond the strict 72-hour window mandated by Article 33, is viewed by the Information Commissioner's Office (ICO) as an aggravating factor that invariably multiplies sanctions.
Notifiable vs. Non-Notifiable Breaches
One of the most critical legal decisions during a crisis is determining whether a breach crosses the threshold for ICO notification. Over-reporting burdens your organization and invites unnecessary scrutiny; under-reporting violates the law.
You must assess the "risk to the rights and freedoms of natural persons." If a laptop is stolen but its hard drive is fully encrypted (meaning the data is inaccessible), the risk is negligible, and ICO notification is likely unnecessary. If an unencrypted database of customer passwords or health records is exposed, the risk is severe, triggering mandatory ICO notification (Article 33) and direct communication to the data subjects (Article 34).
Applicable Legal Framework
Statutory Mandates & ICO Guidance
- UK GDPR, Article 4(12): Definition
A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. - UK GDPR, Article 33: Notification to the ICO
Must be done without undue delay, and where feasible, not later than 72 hours after having become aware. Requires specific details including numbers affected, consequences, and mitigation measures. - UK GDPR, Article 34: Communication to Data Subjects
Mandatory if the breach is likely to result in a high risk to individuals. Must describe the nature of the breach in clear, plain language and provide mitigation advice. - NIS Regulations 2018 (if applicable)
Providers of essential services (OES) and relevant digital service providers (RDSPs) have separate, parallel 72-hour incident reporting obligations.
Our Incident Response Protocol
When you engage our legal team during an active incident, we establish an immediate legal perimeter around your operations, taking control of the regulatory narrative.
Triage & "Awareness" Timestamp
We legally establish the exact moment of 'awareness' to start the 72-hour clock and run the risk assessment threshold test to determine if ICO reporting is triggered.
ICO Notification Drafting (Art 33)
We draft the formal notification. It is critical to provide the required facts without admitting unnecessary fault or speculating on unconfirmed technical vectors.
Data Subject Communication (Art 34)
If high risk is determined, we draft the public/customer communications, ensuring they are empathetic, clear, and legally compliant to mitigate class-action risks.
Post-Breach Remediation & Register
We log the incident in your internal Article 33(5) breach register and interface with the ICO throughout their investigation to argue for leniency.
Are You Currently Experiencing a Breach?
The 72-hour window is unforgiving. Do not contact the ICO without legal representation. Let our senior experts handle the regulatory fallout.
Contact Emergency Legal CounselPre-Breach Preparation: Incident Response Plans
We strongly advise not waiting for an emergency. The ICO expects organizations to have a documented Data Breach Incident Response Plan. We build these playbooks for:
- SaaS Providers: Establishing protocols for notifying hundreds of corporate Data Controllers simultaneously if a cloud environment is compromised.
- Healthcare Providers: Handling extreme-risk Article 9 data where any exposure triggers immediate Article 34 subject notification requirements.
- E-commerce Platforms: Preparing for Magecart or payment-skimming attacks that expose financial data, requiring coordination with both the ICO and the FCA.
Enforcement Context: The British Airways & Marriott Cases
The ICO's enforcement history is defined by massive breach fines. In the British Airways case (initially £183m, reduced to £20m), the ICO severely criticized the airline not just for the breach itself, but for failing to detect it for two months, highlighting a failure of Article 32 (security).
Similarly, the Marriott fine (£18.4m) underscored that acquiring a company with existing vulnerabilities makes the new owner liable for subsequent breaches.
Key Lesson: The ICO expects you to know exactly what data you have (RoPA), have strict security (Art 32), and report exposure instantly (Art 33). Fumbling the notification process suggests a systemic disregard for accountability, turning a technical failure into a maximum-tier penalty event.
Frequently Asked Questions
Critical answers on breach reporting obligations.
What is the legal definition of a data breach under UK GDPR?
Under Article 4(12) of the UK GDPR, a personal data breach is defined as a 'breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' It is not just about hackers; emailing a client spreadsheet to the wrong recipient is also a breach.
What is the 72-hour reporting rule?
Article 33(1) mandates that if a breach is likely to result in a risk to individuals' rights and freedoms, the data controller must notify the ICO without undue delay, and where feasible, no later than 72 hours after becoming aware of it. The clock starts ticking the moment the controller has a reasonable degree of certainty that a breach has occurred.
Do we have to report every single breach to the ICO?
No. You only report breaches that are 'likely to result in a risk to the rights and freedoms of natural persons'. However, even if you decide not to report, Article 33(5) requires you to keep an internal breach register documenting the facts, effects, and remedial actions taken, which the ICO can request.
When do we have to tell the affected individuals?
Under Article 34, you must communicate the breach to the affected data subjects 'without undue delay' if the breach is likely to result in a HIGH risk to their rights and freedoms. This allows them to take protective measures, such as cancelling credit cards or changing passwords.
What happens if we miss the 72-hour deadline?
If you notify the ICO after 72 hours, Article 33(1) requires you to provide 'reasons for the delay'. Unjustified delays are viewed extremely poorly by the ICO and can significantly increase administrative fines, as seen in various high-profile enforcement actions.
What information must the ICO notification contain?
Article 33(3) requires you to describe the nature of the breach, the categories and approximate number of individuals and records affected, the name of your DPO/contact point, the likely consequences, and the measures taken or proposed to mitigate adverse effects.
We are a Data Processor. Do we report to the ICO?
No. Under Article 33(2), if you are a processor, your legal obligation is to notify the Data Controller 'without undue delay' after becoming aware of a breach. The Controller is then responsible for assessing the risk and notifying the ICO.
Can we face fines for a breach even if we report it?
Yes. While prompt reporting is a mitigating factor, the ICO will investigate the root cause. If the breach occurred because you failed to implement appropriate technical and organisational measures (violating Article 32), you can be fined up to £8.7 million or 2% of global turnover.
Don't Navigate a Crisis Alone
Whether you are facing an active data breach or want to build a preventative response playbook, our senior legal team is ready to defend your organization.
Secure Legal CounselDisclaimer: This content is for informational purposes only and does not constitute legal advice or create a solicitor-client relationship. Data protection regulations, including the UK GDPR and DPA 2018, are subject to change and specific application depends heavily on the context of your processing activities. Please consult directly with our legal team for advice tailored to your organization.