Do I have to report every data breach to the ICO?

No. You only need to report breaches that are likely to result in a risk to the rights and freedoms of individuals. Low-risk breaches should still be documented internally but do not need to be reported.

What counts as "becoming aware" of a breach?

You are considered aware when you have a reasonable degree of certainty that a security incident has compromised personal data. The 72-hour clock starts from this point, not from when the breach actually occurred.

Can I report a breach in phases?

Yes. The ICO accepts phased reporting. You can submit an initial notification within 72 hours and provide additional details as your investigation progresses.

Do I need to notify individuals if the data was encrypted?

If the compromised data was encrypted with a strong algorithm and the encryption key was not compromised, individual notification may not be required as the data is unintelligible to unauthorised persons.

What should I tell affected individuals?

Tell them what happened, what data was affected, what you are doing about it and what steps they can take to protect themselves. Use clear, plain language and avoid technical jargon.

Does this template cover processor breaches?

If you are a data processor, you must notify the data controller without undue delay. This template is designed for controllers reporting to the ICO, but can be adapted for processor-to-controller notifications.

Can I be fined for a data breach itself?

UK fines are typically imposed for non-compliance with GDPR obligations, such as failing to report a breach or having inadequate security measures. A breach alone does not automatically result in a fine if you can demonstrate appropriate safeguards were in place under British data protection law.

Should I involve the police?

If the UK breach involves criminal activity such as hacking, theft or fraud, you should consider reporting it to Action Fraud or the British police. This does not replace your obligation to notify the UK ICO.

GDPR & PrivacyUnited Kingdom

Free Data Breach Notification Template

A data breach notification is a formal communication to the ICO and affected individuals when personal data has been compromised. Use our free UK template to report breaches within the required 72-hour window and meet your UK GDPR obligations.

Create Your GDPR Data Breach Notification

Free to useInstant PDFNo account required

PERSONAL DATA BREACH NOTIFICATION

ICO Notification · UK GDPR Article 33 · 2026-04-02

Acme Solutions Ltd

10 King Street
London
EC2V 8AP

+44 20 7946 0958

dpo@acmesolutions.co.uk

2026-04-02

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Re: Personal Data Breach Notification

Reference: BREACH-2026-001

Dear Information Commissioner's Office,

We write to notify you of a personal data breach pursuant to Article 33 of the UK General Data Protection Regulation (UK GDPR), read with section 67 of the Data Protection Act 2018. This notification is made without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required. The details of the breach are set out below in the format requested by the ICO personal data breach notification form.

ORGANISATION AND DPO DETAILS

Organisation: Acme Solutions Ltd
Address: 10 King Street
London
EC2V 8AP
Phone: +44 20 7946 0958
Email: dpo@acmesolutions.co.uk
DPO / Data Protection Contact: Jane Williams, Data Protection Officer
ICO Registration Number: ZA123456

NATURE OF THE BREACH

Type of breach: Unauthorised Access

Date breach discovered: 2026-04-01
Date breach occurred: 2026-03-30

Description:
An external attacker gained unauthorised access to our customer database through a compromised administrator account. The attacker accessed records containing customer names, email addresses and hashed passwords.

PERSONAL DATA AND DATA SUBJECTS AFFECTED

Categories of personal data affected: Names, Email addresses, Passwords / credentials

Approximate number of individuals affected: 1500
Approximate number of records affected: 3200

LIKELY CONSEQUENCES

Risk level: High

Likely consequences for individuals:
Identity theft, phishing attacks, potential financial loss and reputational damage to affected individuals.

MEASURES TAKEN OR PROPOSED

Measures are reported in discharge of our obligations under UK GDPR Article 32 (security of processing) and Article 33(3)(d) (description of measures taken or proposed).

Containment measures taken:
Affected systems isolated, all passwords reset, compromised administrator account suspended, access logs reviewed.

Steps to mitigate harm:
Credit monitoring offered to affected customers, advisory email sent with password change instructions.

Future preventive measures:
Multi-factor authentication rollout, penetration testing scheduled, staff security training programme.

NOTIFICATION STATUS

Notification to the ICO: Yes — notification to the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.

Notification to data subjects: Yes — notification to affected data subjects without undue delay, as the breach is likely to result in a high risk to their rights and freedoms (UK GDPR Article 34).

ACCOUNTABILITY AND RECORD-KEEPING

In accordance with UK GDPR Article 33(5) and the accountability principle in Article 5(2), a full internal record of this breach has been maintained, including facts, effects and remedial action taken. Processor notifications to the controller were handled in accordance with Article 28(3)(f) and Article 33(2). We acknowledge that failure to comply with the notification duty may attract administrative fines under Article 83(4)(a) and sections 157–159 of the Data Protection Act 2018 (up to £8.7 million or 2% of annual worldwide turnover, whichever is higher).

YOURS FAITHFULLY,

Jane Williams, Data Protection Officer

Date: ____________________

What Is a Data Breach Notification?

A data breach notification is a formal report that a data controller must make when a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals. It is a legal requirement under the UK GDPR.

Under Article 33 of the UK GDPR, data controllers must notify the Information Commissioner’s Office (ICO) of a qualifying breach without undue delay and, where feasible, within 72 hours of becoming aware of it. Article 34 requires that affected individuals are notified directly if the breach poses a high risk to their rights.

A UK personal data breach can include unauthorised access to data, accidental loss or destruction, theft of devices containing personal data, cyber attacks, phishing incidents or the accidental disclosure of personal information to the wrong recipient — all of which trigger obligations under British data protection law.

What's Covered in This Template

Our data breach notification template covers both the ICO report and the individual notification letter.

Organisation Details

Name, address and contact details of the data controller reporting the breach, including DPO contact information.

Nature of the Breach

Description of the type of breach, including whether it involved unauthorised access, loss, theft or disclosure.

Categories of Data Affected

The types of personal data compromised, such as names, email addresses, financial data or health records.

Number of Individuals Affected

The approximate number of data subjects and personal data records affected by the breach.

Likely Consequences

Assessment of the potential impact on affected individuals, including identity theft, financial loss or reputational damage.

Measures Taken

Steps already taken to contain the breach and mitigate its effects, such as password resets or system patches.

Preventive Measures

Actions planned to prevent similar breaches in the future, including policy changes and staff training.

Timeline of Events

Chronological account of when the breach occurred, when it was discovered and when notifications were made.

Individual Notification Letter

A plain-language letter to affected individuals explaining the breach and what steps they should take.

ICO Reference Number

Space to record the ICO reference number once the breach has been reported through the ICO’s online portal.

How to Create a Data Breach Notification

Follow these steps to report a data breach quickly and in compliance with the UK GDPR.

1
Assess the Breach
Determine the nature and scope of the breach, including what data was affected, how many individuals are involved and the likely consequences.
2
Contain and Mitigate
Take immediate steps to contain the breach, such as isolating affected systems, revoking access or notifying law enforcement if criminal activity is suspected.
3
Complete the ICO Notification
Fill in the notification form with all required details and submit it to the ICO within 72 hours of becoming aware of the breach.
4
Notify Affected Individuals
If the breach poses a high risk to individuals, use the notification letter template to inform them promptly about what happened and what they should do.
5
Document and Review
Record all details of the breach, your response and any lessons learned. Update your data protection policies and procedures accordingly.

Legal Considerations

Data breach notification involves strict legal requirements and significant penalties for non-compliance.

This template is for informational purposes only and does not constitute legal advice. Consult a qualified solicitor for advice specific to your situation.

Reviewed for England & Wales law

72-Hour Reporting Deadline

Article 33 of the UK GDPR requires notification to the UK ICO without undue delay and where feasible within 72 hours of becoming aware of the breach in England and Wales. If notification is made after 72 hours, the British controller must provide reasons for the delay. The clock starts when you have a reasonable degree of certainty that a breach has occurred.

High Risk Threshold for Individual Notification

Under Article 34 of the UK GDPR, British individuals must be notified directly when the breach is likely to result in a high risk to their rights and freedoms. This includes situations where the breach could lead to identity theft, financial loss, discrimination or significant emotional distress under English law.

Record-Keeping Obligations

Article 33(5) of the UK GDPR requires UK controllers to document all personal data breaches, including the facts, effects and remedial actions taken. This British record must be maintained regardless of whether the breach was reported to the ICO and may be inspected during a UK audit.

Penalties for Non-Compliance

Failure to report a notifiable breach to the UK ICO can result in a fine of up to GBP 8.7 million or 2% of annual global turnover, whichever is higher. The ICO considers the timeliness and quality of breach reporting by British organisations when determining enforcement action in England and Wales.

Frequently Asked Questions

Create Your Data Breach Notification Now

Respond to a data breach quickly and compliantly. Fill in the details, preview your notification and download it as a PDF in minutes.

Create Your GDPR Data Breach Notification Browse All Templates

Free · Instant PDF · No account required