Data breach reporting under GDPR

This is the first in a series of blogs on aspects of personal data breach reporting under GDPR.  Last week the Information Commissioner’s Office (ICO) hosted a webinar on data breach reporting and confirmed that since GDPR was implemented, the number of breaches being reported monthly has more than quadrupled.  The majority of reports continue to come from the education and health sectors, as well as a significant number from local government.

The increase in breach reporting is unsurprising given the requirements in GDPR for data controllers to report personal data breaches.  Reports must be made without undue delay and where feasible within 72 hours of becoming aware of them.  The only exception to the reporting requirement is where the breach is unlikely to result in a risk to the rights and freedoms of individuals. 

The regulatory guidelines that accompany GDPR provide that a controller should be regarded as having become “aware” of a personal data breach when that controller “has a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised”.

Other blogs in this series will look at:

  • over-reporting and risk assessment
  • telephone reporting
  • providing information to the ICO
  • notifying individuals


Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.