UK GDPR Data Breach Reporting Obligations For Businesses

If you run a small business, “data breach” can sound like something that only happens to big tech companies with huge databases and security teams.

But in practice, a data breach can be as simple as emailing a customer list to the wrong person, losing a laptop, or having an employee account hacked.

The key point is this: under the UK GDPR and the Data Protection Act 2018, some data breaches must be reported. And even when you don’t have to report externally, you’ll usually still need to document what happened and how you responded.

Below, we’ll walk you through what counts as a data breach, why businesses need to report data breaches, when reporting is required, and the practical steps you can take to stay compliant without turning your business into a bureaucracy.

What Counts As A Data Breach Under UK GDPR?

Under the UK GDPR, a personal data breach is a security incident that leads to the accidental or unlawful:

• destruction of personal data
• loss of personal data
• alteration of personal data
• unauthorised disclosure of personal data
• unauthorised access to personal data

It’s important to notice what’s included here: it’s not just “hackers”. It includes accidents and internal mistakes too.

Common Small Business Examples

Here are some everyday scenarios that can amount to a personal data breach:

• Emailing the wrong attachment (for example, sending an invoice that includes another customer’s name/address/order details).
• CC’ing instead of BCC’ing a marketing email so recipients can see each other’s email addresses.
• A stolen or lost phone/laptop that contains customer contact details or employee records.
• Weak passwords or phishing leading to an attacker accessing your mailbox, CRM, or payment platform.
• Improper access by staff (for example, an employee viewing customer data they don’t need for their role).
• A supplier breach where your IT provider, payroll provider, or marketing platform is compromised and your customer data is exposed.

Not every breach is reportable, but every breach should be taken seriously and assessed quickly.

Why Do You Need To Report Data Breaches?

When people ask “why do you need to report data breaches?”, there are usually two answers: the legal reason (because the law may require it) and the business reason (because it protects your customers, your team, and your business reputation).

1) Because UK GDPR Can Legally Require It

If a personal data breach is likely to result in a risk to people’s rights and freedoms, you must notify the UK regulator (the ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it.

In more serious cases (where there’s a high risk to individuals), you may also have to tell the affected individuals directly.

Failing to report when required can create regulatory risk. Even if the breach itself was accidental, your response is part of what the regulator will look at.

2) Because Reporting Forces You To Respond Properly (And Fast)

Most breaches get worse when they’re handled slowly or informally. Having a clear process for escalation and reporting helps you:

• stop further unauthorised access (for example, securing accounts and resetting credentials)
• recover lost information where possible
• reduce the impact on customers and employees
• avoid repeated mistakes by fixing the root cause

A good Data breach response plan isn’t just a compliance document - it’s a practical playbook for stressful moments when you need to make decisions quickly.

3) Because It Can Protect Your Brand And Customer Trust

For small businesses, trust is everything. If a breach is serious enough that customers will find out anyway (for example, if scammers start contacting them), transparency can reduce reputational damage.

Handled well, reporting and communicating clearly can show that you’re organised, accountable, and acting in good faith.

4) Because You’ll Need An Audit Trail If Questions Come Up Later

Even where a breach doesn’t meet the threshold for notifying the ICO, UK GDPR expects you to keep an internal record of breaches (including the facts, effects, and remedial action).

This matters if:

• an individual complains
• a customer asks what happened
• your insurer requests information
• the ICO investigates your wider security practices

In short: reporting (internally and externally where required) is a core part of demonstrating accountability.

When Do You Have To Report A Data Breach In The UK?

In practice, there are three different “levels” of reporting you should think about: reporting to the ICO, notifying affected individuals, and internal record-keeping.

1) Reporting To The ICO (The 72-Hour Rule)

You generally need to notify the ICO if the breach is likely to result in a risk to individuals’ rights and freedoms.

That risk assessment depends on things like:

• What data was involved (names and emails is different to bank details, health data, ID documents, passwords, etc.).
• How many people were affected.
• How easily the data could be misused (for example, was it encrypted, password-protected, or publicly accessible?).
• Who accessed it (for example, a trusted supplier versus an unknown attacker).
• Potential harm (identity theft, fraud, distress, discrimination, financial loss).

Timing note: the 72 hours starts when you become “aware” of a breach (meaning you have a reasonable degree of certainty it has occurred) - not when you finish investigating. If you don’t have all the details, you can make an initial report and follow up with more information as you learn it.

2) Notifying Affected Individuals (High Risk)

If the breach is likely to result in a high risk to individuals, you’ll usually need to tell those people directly, without undue delay.

This is where clear communication matters. Your message should generally explain:

• what happened (in plain English)
• what information was involved
• what you’ve done to contain it
• what steps the individual can take (for example, resetting passwords, monitoring accounts)
• how they can contact you for help

There are limited exceptions (for example, if appropriate technical measures like strong encryption were in place so the data is unintelligible), but don’t assume you’re exempt without checking carefully.

3) Recording The Breach Internally (Even If Not Reportable)

Even if you decide you don’t need to notify the ICO or individuals, you should still document the breach internally.

This is part of UK GDPR’s accountability principle - being able to show how you assessed risk and what you did about it.

If you’re building out your compliance, it often helps to put the right documents in place (for example, a Privacy Policy that accurately describes how you handle personal data and what happens when things go wrong).

How To Report A Data Breach (And What To Include)

When a breach happens, it’s easy to panic or jump straight to fixing the technical issue. But your legal and operational response should run in parallel.

Here’s a practical step-by-step process many small businesses use.

Step 1: Contain The Breach Immediately

Your first job is to stop it from getting worse. Depending on the situation, that could mean:

• resetting passwords and enabling multi-factor authentication
• revoking access for a compromised account
• recovering mis-sent emails (where possible)
• isolating infected devices
• contacting your IT provider

If staff devices and systems are involved, having clear internal rules around usage helps prevent incidents and speeds up response - for example an Acceptable use policy that sets expectations about passwords, personal devices, and data handling.

Step 2: Work Out What Happened (Without Delaying Decisions)

You don’t need a perfect investigation before you act, but you do need enough facts to assess risk. Capture:

• the date/time you discovered the breach
• how it occurred (if known)
• which systems/accounts were affected
• what categories of data were involved
• how many individuals may be affected
• who may have accessed it (internal/external/unknown)

Step 3: Assess Whether The Breach Is Reportable

This is the “legal threshold” step: is the breach likely to result in a risk to individuals’ rights and freedoms?

If you’re unsure, it’s often safer to treat it seriously and get advice early. The cost of over-escalating internally is usually far lower than the cost of under-reacting to something that turns out to be serious.

Step 4: Notify The ICO If Required (Within 72 Hours Where Feasible)

If the breach is reportable, you’ll generally need to provide the ICO with key information, including:

• nature of the breach (confidentiality breach, loss, alteration, etc.)
• categories and approximate number of individuals affected
• categories and approximate volume of records affected
• likely consequences of the breach
• measures taken or proposed to address the breach and mitigate harm
• your contact details (and DPO details if you have one)

Tip: keep your reporting consistent with your contracts and internal privacy governance. If you use suppliers to process data (for example, cloud hosting, email marketing, payroll), make sure your supplier arrangements are documented properly in a Data processing agreement, including obligations to notify you promptly of incidents.

Step 5: Notify Individuals If Required

If the breach creates a high risk for individuals, you’ll generally need to tell them directly and clearly.

This is also where customer service and legal compliance overlap. A well-drafted message can reduce confusion and complaints, and help individuals protect themselves.

Step 6: Keep Records And Fix The Root Cause

After the immediate incident, you should:

• document what happened and why you made your reporting decisions
• tighten security and processes (technical and human)
• train staff and update policies
• review whether you collected more data than you actually need

And if the breach involved staff devices, emails, or internal monitoring, be careful about how you investigate. Workplace data issues can trigger broader privacy questions (including what’s appropriate to monitor and how to do it lawfully), so it’s worth sanity-checking your approach against GDPR in the workplace expectations.

How To Reduce The Risk Of A Reportable Data Breach

No business can guarantee “zero breaches”. The goal is to reduce the likelihood, reduce the impact, and make sure you can respond quickly.

Here are some practical, small-business-friendly steps that can make a big difference.

Get Your Privacy Compliance Foundations Right

Most breaches don’t happen in isolation - they happen in businesses that have grown quickly without formalising privacy practices.

Putting a structured compliance approach in place (for example, a GDPR package tailored to your business) can help you cover the essentials like privacy notices, policies, breach response, and data processing obligations.

Train Your Team (Because Human Error Is Common)

You can have great IT security and still have a breach because someone clicks a phishing link or shares credentials.

Training doesn’t need to be intense, but it should be regular and practical, covering:

• how to spot phishing emails
• how to handle customer requests and identity checks
• how to store and share files safely
• when and how to escalate suspicious activity

Check Your Use Of AI Tools And Online Platforms

Many small businesses now use AI tools to draft emails, summarise calls, or analyse customer data. The risk is accidentally inputting personal or confidential information into a tool that isn’t appropriate for that purpose.

Having clear internal rules on this is increasingly important, and it’s worth being across questions like Is ChatGPT confidential when you’re deciding what information staff can and can’t share with external tools.

Minimise The Data You Hold

A simple but powerful risk-reduction tactic: don’t collect or store personal data you don’t actually need.

Less data = less exposure if something goes wrong.

Review Supplier Risk (Processors And Service Providers)

If you outsource parts of your operations (IT support, cloud storage, payment providers, HR platforms), you’re relying on them to keep data secure too.

Make sure you know:

• who your key suppliers are
• what personal data they handle
• what security measures they claim to have
• how quickly they’ll notify you of incidents

This is where solid contracts and the right privacy documentation really matter.

Key Takeaways

• A personal data breach under UK GDPR includes accidental loss or disclosure of personal data - it’s not limited to hacking.
• You may need to report a breach because UK GDPR requires notification to the ICO where it’s likely to risk individuals’ rights and freedoms, and notification to individuals where there’s a high risk.
• The 72-hour reporting window generally starts when you become aware of a breach (with a reasonable degree of certainty), so you need a process that allows quick assessment and escalation.
• Even if a breach isn’t reportable, you should still document it internally, including your risk assessment and remedial action.
• Having a clear breach response plan, staff training, and the right privacy documents and supplier contracts can reduce the chance of a breach becoming serious (or reportable).
• If you’re unsure whether to report, getting advice early can save time, stress, and regulatory risk later.

If you’d like help putting the right GDPR documents in place or responding to a data breach, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.