Redcliffe Training

Article

10 min read

Responding to a Personal Data Breach: A Practical Guide

What to do in the first 72 hours after a breach — the ICO notification timeline, internal documentation requirements, and common mistakes to avoid.

15 January 2026

Responding to a Personal Data Breach: A Practical Guide

A personal data breach doesn't have to mean a fine. The ICO's own guidance makes clear that organisations that respond promptly and transparently are treated very differently from those that cover up or delay. Here is what to do.

Hour 0: Contain

As soon as a breach is discovered, stop it spreading. Change passwords, revoke access tokens, isolate affected systems. Do not delete anything — you will need evidence of what happened and when.

Hours 1–24: Assess

Determine the scope. Whose data was affected? What categories of data (names, financial details, health information, special category data)? How many records? What is the likely impact on those individuals?

Hours 24–72: Notify (if required)

If the breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware. 'Becoming aware' means when you have reasonable certainty a breach has occurred — not when you have the full picture.

Notifying affected individuals

Where the breach is likely to result in a high risk to individuals, you must also notify them directly without undue delay. Be clear about what happened, what data was involved, and what you are doing about it.

Documentation

Whether or not you notify the ICO, you must document every breach in your internal breach register: the facts, its effects, and the remedial action taken. This is a UK GDPR obligation with no size threshold.

Common mistakes

  • Waiting until you have a complete picture before notifying — the 72-hour clock starts at awareness, not completion of investigation

  • Confusing "no fine" with "no obligation to notify"

  • Failing to update the breach register for low-risk breaches

  • Not testing your breach-response plan before you need it