Article
10 min readResponding to a Personal Data Breach: A Practical Guide
What to do in the first 72 hours after a breach — the ICO notification timeline, internal documentation requirements, and common mistakes to avoid.
15 January 2026
A personal data breach doesn't have to mean a fine. The ICO's own guidance makes clear that organisations that respond promptly and transparently are treated very differently from those that cover up or delay. Here is what to do.
Hour 0: Contain
As soon as a breach is discovered, stop it spreading. Change passwords, revoke access tokens, isolate affected systems. Do not delete anything — you will need evidence of what happened and when.
Hours 1–24: Assess
Determine the scope. Whose data was affected? What categories of data (names, financial details, health information, special category data)? How many records? What is the likely impact on those individuals?
Hours 24–72: Notify (if required)
If the breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware. 'Becoming aware' means when you have reasonable certainty a breach has occurred — not when you have the full picture.
Notifying affected individuals
Where the breach is likely to result in a high risk to individuals, you must also notify them directly without undue delay. Be clear about what happened, what data was involved, and what you are doing about it.
Documentation
Whether or not you notify the ICO, you must document every breach in your internal breach register: the facts, its effects, and the remedial action taken. This is a UK GDPR obligation with no size threshold.
Common mistakes
Waiting until you have a complete picture before notifying — the 72-hour clock starts at awareness, not completion of investigation
Confusing "no fine" with "no obligation to notify"
Failing to update the breach register for low-risk breaches
Not testing your breach-response plan before you need it