Data breach reporting under GDPR: over-reporting and risk assessment

Currently, the Information Commissioner's Office says it is experiencing significant over-reporting.

The ICO has confirmed that, before reporting, data controllers must assess the likelihood and severity of any consequences of the breach. If it is unlikely that there will be a risk to people’s rights and freedoms following the breach, it does not need to be reported. All breaches do, however, have to be documented in accordance with GDPR requirements, regardless of whether they are reported. GDPR requires the record to enable supervisory authorities like the ICO to verify that the data controller has complied with GDPR requirements for breach reporting.

The ICO has also reminded data controllers that the 72 hour reporting requirements relate only to data breaches (i.e. a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data). The ICO suggests considering whether there has been a confidentiality, integrity or availability breach as a method of identifying reportable breaches. Confidentiality breaches involve unauthorised disclosure, integrity breaches involve alterations to personal data, and availability breaches are those where personal data has been lost or destroyed by accident or without authorisation.

Data controllers are not required to (and should not) self-report failures to meet subject access request deadlines, instances of electronic marketing to individuals without appropriate consent, or loss of data relating to deceased individuals.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.