Data breach reporting under GDPR: telephone reporting?

The ICO suggests that organisations should consider reporting breaches via telephone, particularly where the data controller needs to obtain advice from the ICO.  Issues can then be explored, and reassurance and advice dispensed, at the time of the call.

While there can be benefits to telephone reporting, particularly where a data controller needs urgent guidance, organisations should remain aware of the potential for regulatory enforcement action.  Care should be taken that any information provided to the regulator is accurate, and data controllers should avoid making unqualified admissions of fault until they are clear as to their factual and legal position.

It should also be noted that the ICO does not distinguish between formal and informal reports: as soon as a data controller tells the ICO about a breach, it will be recorded and dealt with in the same way.  Data controllers may want to consider seeking advice from other sources, where appropriate, or approaching the regulator on a “no names” basis in the first instance.


Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.