When do I have to report a data breach?

A client’s personal data was accidentally disclosed. I need more information before reporting to the ICO. Can I delay reporting until I have the full facts?

Data controllers must notify a personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware unless the breach “is unlikely to result in a risk to the rights and freedoms of natural persons”.

In the UK, the Information Commissioner’s Office (ICO) is the supervisory authority.

If a delay beyond 72 hours occurs, the controller must notify the ICO of the reason for the delay.

The information required by the ICO when notifying a breach is specified in article 33 of the General Data Protection Regulations 2018 (GDPR) and comprises:

• the nature of the breach and, where possible, the categories and approximate numbers of data subjects and personal data records concerned
• the name and contact details of the data protection officer or other contact in your firm where more information can be obtained
• the likely consequences of the breach
• the measures you have taken or propose to take to address the breach including, where appropriate, measures to mitigate its effects

As with most other aspects of GDPR compliance, controllers should document the breach and the steps taken to remedy its effects.

This will be important in demonstrating to the ICO that your firm has responded in a reasonable and proportionate manner in complying with its obligations.

Data processors have a duty to notify the controller without undue delay after becoming aware of a personal data breach.

Report a personal data breach to the ICO online

For further information, see our guide for solicitors on General Data Protection Regulation (GDPR) and Data Protection Act 2018.