Print Article

GDPR: How long do you have to report a data breach?


The first 72 hours after you discover a data breach are critical.


  1. The GDPR (General Data Protection Regulation) requires all organisations to report certain types of personal data breach to the relevant supervisory authority.
  2. data controllers must notify the appropriate supervisory authority of a personal data breach without undue delay, and within 72 hours if possible.
  3. But how do you report a data breach, and what are the pitfalls when meeting this requirement?

In this post, everything you need to know is explained.

What is a data breach?

  1. The GDPR is concerned only with personal data – i.e.
    • Information that relates to a natural person, as opposed to company details. It’s only when personal data is breached that you need to consider your GDPR compliance requirements.
  2. But ‘breach’ here doesn’t simply refer to cyber attacks.
    • Article 4 of the Regulation defines a personal data breach as any event leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
  3. As this definition suggests, data breaches aren’t always a result of cyber criminals hacking into an organisation’s systems. Breaches are just as likely to occur when an employee:
    1. Accidentally sends personal information to the wrong person;
    2. Accesses files that aren’t relevant to their job function;
    3. Shares information with someone outside the organisation;
    4. Loses a device, such as a laptop, that contains personal information; or
    5. Fails to secure information online, making it publicly available.
  4. Data breaches include
    • Any incidents that make it impossible for organisations to access systems containing personal data, such as ransomware attacks or damaged hardware.


When do data breaches need to be reported?

  1. Data breaches only need to be reported if
    • They “pose a risk to the rights and freedoms of natural living persons”.
  2. This generally refers to the possibility of affected individuals facing
    • Economic or social damage (such as discrimination), reputational damage or financial losses.
  3. Most data breaches fit into this category, but those that don’t include information that is linked to a specific individual are unlikely to pose a risk.
  4. Whether you are required to report a data breach or not, the GDPR mandates that you keep a record of it.


Be wary of overreporting

  1. Whether it’s due to misunderstanding the GDPR’s compliance or an abundance of caution, many organisations overlook the difference between recordable and reportable data breaches.
  2. This is a trend that John Potts, Head of DPO, DSAR & Breach Support at GRCI Law, has noted since the GDPR took effect on 25 May 2018.
  3. Speaking to IT Governance, Potts explained
    • That organisations often report every incident they experience, because they “want to inform the ICO before someone else does, so they can get their side of the story in first.”
  4. Potts urges organisations
    • To take the opportunity to consider whether a data breach needs to be reported, rather than going straight into reporting mode.
  5. Potts added
    1. That organisations should be concerned not only about over-reporting incidents but also about what is initially reported.
    2. “In my experience, the ICO appreciates that sometimes all the details of the breach may not be known at the initial stage of reporting. It is more important that the rights of the data subject are protected as soon as possible rather than an organisation try to get their mitigation across to the ICO when they may not have a full picture,” he said.
    3. “This desire to ‘fill in the form’ can lead to a knee-jerk reaction, meaning that the ICO and the organisation can go off on unnecessary avenues of investigations,” he added.


How to report a data breach

  • Data breach notifications need to be sent to your supervisory authority. For organisations in the UK, this is the ICO.

Your report must contain:

  1. Situational analysis:
    • You must provide as much context about the breach as possible. This includes the initial damage, how it affected your organisation, and what caused it.
  2. Assessment of affected data:
    • You’ll need to determine the categories of personal data that has been breached, and the number of records affected.
  3. Description of the impact:
    • Next, you’ll need to outline the consequences of the breach for affected parties. This will depend on the information that was compromised and if the data subject is aware of the breach
  4. Report on staff training and awareness:
    • If the breach was a result of human error, you’ll need to disclose whether or not the employee(s) involved received data protection training in the past two years. If they have, you should provide details of your staff awareness training programme.
  5. Preventive measures and actions:
    • Outline what (if any) preventative measures you had in place before the breach occurred. You should also explain what steps you have taken, or plan to take, to mitigate the damage.
  6. Oversight:
    • Finally, you’ll need to provide the contact details of your DPO (data protection officer) or the person responsible for data protection.

72 hours

  • The GDPR acknowledges that it may be difficult to produce this much information within 72 hours, but the important thing is to demonstrate that you’ve made progress.
  • You don’t need to be obsessed over an exact 72-hour deadline. It is far more important that the risks to the data subjects are addressed.
  • The timings of breaches are not an exact science; if you find yourself approaching the 72-hour deadline, contact the ICO with the specific, not speculative details that you have.
  • A swift response that’s documented clearly but sent a few hours late is better than a shoddy response that was rushed in order to meet the disclosure deadline, Potts advises.
  • The emphasis is on the protection of the rights and freedoms of the data subjects. Any breach that is likely to attract media interest should be reported to the ICO at the very earliest opportunity.
  • Remember there may be a legal/regulatory obligation to notify other statutory bodies in the event of a reportable breach.
  • It’s worth adding that your investigation can – and probably should – continue beyond the notification deadline.
  • More information will come to light as you analyse what went wrong and speak to those involved, and you can provide those details to the ICO where necessary.

What happens after you report an incident?

  • Once you’ve informed the ICO of the incident, you’ll receive an automatic email to confirm receipt of your disclosure.
  • The incident will then go into a list of active cases that the ICO will investigate in due course. You will generally hear back quite quickly if the investigators are happy with your actions.
  • If the ICO suspects a GDPR violation, however, it may begin a formal investigation. These can take several months to complete, thanks to a backlog in cases and the back-and-forth nature of providing documentation and talking to relevant employees. If the breach constitutes a criminal offence, they may instigate a criminal investigation.
  • That said, the ICO are likely to prioritise the case if the incident involves a serious breach affecting a lot of data subjects or is likely to attract media attention.
    • We’ve seen this already with July 2019’s ruling on Marriott International’s massive data breach. The breach was disclosed in November 2018, and the ICO came back with a verdict just over seven months later, announcing its intention to fine the hotel chain £99 million.

What happens if you don’t report an incident?

  1. Failing to report an incident is a violation of the GDPR and is punishable by a fine.
  2. That doesn’t mean you should expect a barrage of financial penalties, though. The ICO has repeatedly said that fines will be the last resort and only issued for egregious or repeat offences.
  3. That’s not to say failure to notify won’t come with any form of penalty.
  4. The ICO can discipline organisations in other ways, such as enforcement actions and audits.
  5. If this happens, your compliance measures will be scrutinised, weaknesses will be flagged and you’ll be required to make the appropriate changes.
  6. Quickly respond to a data breach in line with the GDPR’s requirements
  7. Identifying a data breach under the GDPR – who has been affected, how extensive it is and how it happened – within 72 hours can pose a challenge for any business.
  8. With the threat of a data breach becoming increasingly imminent, it’s vital that your organisation is prepared to respond in a crisis.



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email