A data breach doesn’t have to mean disaster. But how you respond in the first few hours will determine how much damage it causes to your customers, your reputation, and your legal standing. According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cyber security breach or attack in the past year. If it happens to you, here’s exactly what to do.
Stay Calm. Move Fast.
The worst thing you can do is panic and start deleting things. The second worst is doing nothing. Your goal in the first few minutes is to understand what’s happened and stop it spreading. Get the right people in the room, assign someone to lead the response, and work through the steps below in order.
Step 1: Contain the Breach
Before anything else, stop the breach from spreading. If a device has been compromised, disconnect it from your network — but don’t switch it off. Powering down a server can destroy forensic evidence you may need later.
Change passwords on any affected accounts immediately. If login credentials were part of the breach, assume every account using those credentials is at risk. Revoke access tokens, close unauthorised sessions, and block suspicious IP addresses if your firewall allows it. Your cyber security team should lead this stage.
Step 2: Work Out What Was Affected
Once you’ve contained the immediate threat, work out exactly what was compromised. You need to know: what types of personal data were involved (names, email addresses, financial data, health records); how many people are affected; whether the data was accessed, copied, or deleted; whether it was encrypted; and whether it could be used to cause harm such as identity theft, fraud, or discrimination.
Write everything down as you go. You’ll need this for your ICO report and your internal breach log.
Step 3: Report to the ICO Within 72 Hours
Under UK GDPR, you must report a personal data breach to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it — if the breach is likely to result in a risk to people’s rights and freedoms. The clock starts from the moment you discover the breach, not when it occurred.
You report online via the ICO’s breach reporting portal. The form takes around 30 minutes to complete. You don’t need all the information upfront. Submit what you have and follow up with more detail later.
Not Every Breach Needs Reporting
If the breach is unlikely to cause real risk to individuals — for example, if the data was strongly encrypted and remains unreadable — you may not need to report to the ICO. But you must still document it. Keep a written record of what happened, your risk assessment, and the reasons you decided not to report. That log is your proof of compliance if the ICO ever asks.
What to Include in Your Report
Be ready to provide a description of what happened and when, the types and approximate volume of personal data involved, the likely consequences of the breach, the steps you’ve taken to address it, and your contact details. The ICO allows follow-up submissions, so don’t let missing information stop you from reporting within the 72-hour window.
Step 4: Tell the People Affected
If the breach is likely to result in a high risk to the individuals involved, you must contact them directly and without undue delay. Be honest and clear. Tell them what happened, what data was involved, the potential consequences, and what steps they should take to protect themselves — such as changing passwords or monitoring their bank accounts. Don’t be vague. People need to know what’s at risk.
Step 5: Communicate Internally — Carefully
Brief your senior leadership team before anyone else. Appoint one spokesperson to handle press or customer enquiries so your messaging stays consistent. Don’t speculate publicly about the cause or blame before you have the full picture. Misinformation spreads fast and makes a bad situation significantly worse.
If you work with a managed IT support provider, loop them in immediately. A good IT partner will have handled incidents like this before and can guide you through containment and recovery calmly and methodically.
Step 6: Document Everything
UK GDPR requires organisations to keep a written record of all personal data breaches, including ones that didn’t need to be reported to the ICO. Your breach log should cover: what happened; when you became aware of it; what data was affected; how many people were involved; your risk assessment; the actions you took; and the reasoning behind your decisions.
This documentation is your legal protection. A clear and thorough log shows the ICO that you took the breach seriously and responded responsibly.
Step 7: Find the Root Cause and Fix It
Once the immediate crisis is over, work out how the breach happened. Was it a phishing email that caught a staff member off guard? A weak password? An unpatched system? A supplier with inadequate security? Find the root cause and fix it rather than just the symptom.
Review your access controls, update your security policies, and check whether your team needs refreshed cyber security awareness training. A breach is an expensive lesson. Make sure it doesn’t happen twice for the same reason.
What Happens If You Don’t Report a Notifiable Breach?
The ICO can fine organisations up to £17.5 million or 4% of global annual turnover — whichever is higher — for serious infringements of UK GDPR. Failing to report a notifiable breach on time is itself an infringement, separate from the underlying incident. Don’t assume that because the breach seems minor, there’s nothing to do.
Be Ready Before the Next Incident
The best time to prepare for a data breach is before one happens. That means having a written incident response plan, making sure every team member knows their role in it, keeping software patched and up to date, and training staff to recognise phishing attempts before they click. Our remote IT support and cyber security services help UK businesses stay ahead of threats rather than dealing with the fallout after the fact.
If you don’t have an incident response plan in place, or you’re not confident in your current security setup, contact us. We’ll carry out a free IT and security review and tell you exactly where the gaps are.
Frequently Asked Questions
Does every data breach need to be reported to the ICO?
No. You only need to report to the ICO if the breach is likely to result in a risk to people’s rights and freedoms. However, you must document all breaches — reportable or not — and keep that record on file.
How long do I have to report a data breach in the UK?
Under UK GDPR, you have 72 hours from the moment you become aware of a personal data breach to notify the ICO — if the breach meets the reporting threshold. You can submit an initial report and add more detail in a follow-up later.
Do I have to tell the people whose data was breached?
Only if the breach is likely to result in a high risk to those individuals. If that’s the case, you must contact them directly, without undue delay, and give them clear information about what happened and how to protect themselves.
What if a third-party supplier caused the breach?
You’re still responsible. If a supplier processes your data and they suffer a breach, they must notify you without undue delay. You then assess whether to report it to the ICO. Don’t assume the supplier will handle it for you — the obligation sits with you as the data controller.
What is the fine for not reporting a breach to the ICO?
The ICO can issue fines of up to £17.5 million or 4% of global annual turnover for serious UK GDPR infringements, including failure to report a notifiable breach. The size of any fine depends on the severity of the breach, your response, and your compliance track record.
What is the difference between a cyber attack and a personal data breach?
A cyber attack is an attempt to compromise your systems. A personal data breach is the result — the accidental or unlawful loss, destruction, or disclosure of personal data. Not every cyber attack results in a data breach, but many do. Both require a prompt, structured response.