Data breach reporting under GDPR: providing information to the ICO

Data controllers are required to report personal data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of them, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. 

Where the report is not made within 72 hours, the controller must also explain the reasons for the delay.

GDPR requires that at minimum the notification report must:

  • describe the nature of the breach including where possible, the categories and approximate number of individuals concerned and the categories and approximate number of personal data records involved;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the breach;
  • describe the measures taken or proposed to be taken to address the personal data breach. This should include, where appropriate, measures to mitigate its possible adverse effects.

If it is not possible to provide all the information at the same time, GDPR does envisage that this may be provided in phases, but again this must be without undue delay, and with an explanation as to why the information could not be provided within the 72 hour period.

Data controllers are expected to have adequate systems and processes in place to enable  swift investigation, containment and reporting of personal data breaches.  In addition, organisations must ensure a culture of compliance prevails amongst their employees, with suspected breaches being reported to appropriate personnel immediately upon discovery.  If you have not done so already, you should consider whether your existing procedures are adequate, and make any changes needed to ensure you are able to make any compulsory notifications within the 72 hour window, including arrangements for obtaining advice, if required.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.