If you decide not to notify individuals, you will still need to notify the ICO unless you can demonstrate
that the breach is unlikely to result in a risk to rights and freedoms. You should also remember that the
ICO has the power to compel you to inform affected individuals if we consider there is a high risk. In
any event, you should document your decision-making process in line with the requirements of the
accountability principle.
What information must we provide to individuals when telling them about a breach?
You need to describe, in clear and plain language, the nature of the personal data breach and, at least:
the name and contact details of your data protection officer (if your organisation has one) or other
contact point where more information can be obtained;
a description of the likely consequences of the personal data breach; and
a description of the measures taken, or proposed to be taken, to deal with the personal data breach
and including, where appropriate, of the measures taken to mitigate any possible adverse effects.
Does the GDPR require us to take any other steps in response to a breach?
You should ensure that you record all breaches, regardless of whether or not they need to be reported
to the ICO.
Article 33(5) requires you to document the facts relating to the breach, its effects and the remedial
action taken. This is part of your overall obligation to comply with the accountability principle, and allows
us to verify your organisation’s compliance with its notification duties under the GDPR.
As with any security incident, you should investigate whether or not the breach was a result of human
error or a systemic issue and see how a recurrence can be prevented – whether this is through better
processes, further training or other corrective steps.
What else should we take into account?
The following aren’t specific GDPR requirements, but you may need to take them into account when
you’ve experienced a breach.
It is important to be aware that you may have additional notification obligations under other laws if you
experience a personal data breach. For example:
If you are a communications service provider, you must notify the ICO of any personal data breach
within 24 hours under the Privacy and Electronic Communications Regulations (PECR). You should use
our PECR breach notification form, rather than the GDPR process. Please see our pages on PECR for
more details.
If you are a UK trust service provider, you must notify the ICO of a security breach, which may
include a personal data breach, within 24 hours under the Electronic Identification and Trust Services
(eIDAS) Regulation. Where this includes a personal data breach you can use our eIDAS breach
notification form or the GDPR breach-reporting process. However, if you report it to us under the
GDPR, this still must be done within 24 hours. Please read our Guide to eIDAS for more information.
If your organisation is an operator of essential services or a digital service provider, you will have
incident-reporting obligations under the NIS Directive. These are separate from personal data breach
notification under the GDPR. If you suffer an incident that’s also a personal data breach, you will still