72 Hours: What Your DPO Must Do When a Breach Occurs

A data breach does not have to be a dramatic cyberattack. It can be an email sent to the wrong recipient, a laptop left on a train, an accidentally public shared folder, or a former employee's access not revoked promptly enough. Any incident that results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data is a personal data breach under Article 4 of UK GDPR.

When one occurs, your organisation's response in the next 72 hours — and the quality of your DPO's involvement in that response — will shape both the regulatory outcome and the impact on the affected individuals.

Step 1: Contain the Breach

The first priority is containment — stopping the breach from getting worse. Depending on the nature of the incident, this might mean:

• Revoking access to a compromised account or system
• Recalling a misdirected email (where the recipient has not yet read it)
• Taking a system offline to prevent further unauthorised access
• Changing passwords and access credentials for affected systems
• Securing or recovering physical data or devices

Containment should begin immediately — before a full assessment of the breach is complete. Do not wait for a comprehensive picture before taking action to limit harm.

Step 2: Assess the Breach

Once containment is underway, the DPO leads a structured assessment of the breach. This involves establishing:

• What happened — the nature of the incident, how it occurred, and whether it is ongoing
• What data was involved — the categories of personal data affected, including whether any special category data (health, financial, credentials) was involved
• Whose data was affected — the approximate number of individuals whose personal data was involved
• What the likely consequences are — the probable impact on the individuals affected, including the risk of identity fraud, financial loss, discrimination, reputational damage, physical harm or other adverse consequences
• What security measures were in place — whether the data was encrypted, pseudonymised or otherwise protected in a way that reduces the risk

Step 3: Decide Whether ICO Notification is Required

Not every breach must be reported to the ICO. Under Article 33 of UK GDPR, notification is required only where a breach is likely to result in a risk to the rights and freedoms of individuals. The DPO's assessment of the breach should produce a clear, documented risk assessment that answers this question.

Factors that increase the risk — and therefore the likelihood of a mandatory notification — include:

• Special category data was involved (health, financial, biometric)
• The data of vulnerable individuals was affected
• The breach involved a large number of individuals
• The data could be used to facilitate identity fraud, financial crime or targeted harassment
• The breach was the result of deliberate action rather than accident
• The data was not encrypted or otherwise protected

Where these factors are absent — for example, an internal document containing non-sensitive staff names was emailed to a wrong internal address — the risk to individuals' rights and freedoms may be low enough that notification is not required. But the decision must be documented either way.

Step 4: Notify the ICO — If Required

Where the risk assessment concludes that notification is required, the DPO should submit the breach report to the ICO within 72 hours of the organisation becoming aware. The notification must include:

• The nature of the breach — what happened, what caused it
• The categories and approximate number of individuals affected
• The categories and approximate number of personal data records affected
• The name and contact details of the DPO or other contact point
• A description of the likely consequences of the breach
• The measures taken or proposed to address the breach, including to mitigate its effects

Where the full information is not available within 72 hours, you can submit an initial notification with what you know and provide additional information subsequently. It is better to notify promptly with an incomplete picture than to delay waiting for complete certainty.

Step 5: Notify Affected Individuals — If Required

Where a breach is likely to result in a high risk to the rights and freedoms of individuals — a higher threshold than for ICO notification — the organisation must also notify the affected individuals directly, without undue delay.

The individual notification must:

• Be written in clear, plain language — not legal boilerplate
• Describe the nature of the breach
• Give the name and contact details of the DPO
• Describe the likely consequences of the breach
• Describe the measures taken or proposed
• Give specific advice on steps individuals can take to protect themselves

The quality of individual notifications matters. Vague, generic communications that fail to give affected individuals the information they need to protect themselves are regularly criticised by the ICO. Your DPO should draft and review the notification — it is not a task to delegate to a communications team without expert input.

What Happens If You Get It Wrong?

The ICO's approach to breach notification failures depends heavily on the circumstances:

• Failure to notify when required — a serious breach of Article 33. The ICO may issue an enforcement notice, a public reprimand, and in serious cases a financial penalty. The size of the fine reflects the nature of the breach, the number of individuals affected, and your organisation's compliance posture overall.
• Late notification — notifying after 72 hours without a valid reason is treated as a procedural breach. Where the delay is short and explained, enforcement tends to be limited. Where the delay is significant and unexplained, the ICO treats it as an aggravating factor.
• Incomplete or inaccurate notification — submitting a notification that omits key information or contains errors will require amendment and may indicate insufficient incident management capability.
• Failure to notify affected individuals — where individual notification was required and not provided, the ICO can order it retrospectively and may take enforcement action. Individuals can also bring compensation claims under Article 82 where they suffered harm as a result of the breach.

Frequently Asked Questions

When does the 72-hour clock start?

The 72 hours runs from when the organisation becomes aware of the breach — not when it occurred. Awareness means a reasonable degree of certainty that a breach has taken place. It does not require a complete investigation to be complete before the clock starts.

Do you have to report every data breach to the ICO?

No. Only breaches likely to result in a risk to individuals' rights and freedoms must be notified. However, all breaches — notified or not — must be documented in your internal breach register.

What if you don't have all the information within 72 hours?

You can submit an initial notification with the information available and provide additional details subsequently. A partial notification within 72 hours is always better than a complete notification after the deadline.

What happens if you miss the 72-hour notification deadline?

You should still notify as soon as possible, with an explanation for the delay. Late notification may be taken as an aggravating factor by the ICO in any enforcement assessment — but failure to notify at all is almost always worse than late notification.

Does every breach need to be reported to affected individuals?

No. Individual notification is required only where the breach is likely to result in high risk — a higher threshold than for ICO notification. Where the risk is lower, individual notification is not required, though it may sometimes be appropriate as a matter of good practice.