← All posts

16/06/2026 · 5 min read

Data breach? The first 72 hours, explained

What counts as a personal data breach, when you have to tell the ICO, and the practical steps to take in the first three days.

A personal data breach is not only a hacker. It is any security failure that leads to personal data being lost, destroyed, altered, or exposed to the wrong people. An email sent to the wrong client, a lost laptop, or a misconfigured folder all count.

The 72-hour rule

If a breach is likely to result in a risk to people’s rights and freedoms, you must notify the ICO without undue delay, and no later than 72 hours after becoming aware of it. The clock starts when you become aware, not when you finish investigating. If the risk to individuals is high, you also have to tell the affected people, in plain language, without undue delay.

Not every breach has to be reported. A one-off email to the wrong person that you can recall quickly, with no sensitive content, may not meet the threshold. But you have to make and record that judgement.

What to do, in order

  1. Contain it. Stop the bleeding: recall the email, revoke the access, take the system offline. Limit the spread first.
  2. Assess the risk. What data, how many people, how sensitive, what could happen to them. This decides whether you notify.
  3. Notify if required. Tell the ICO within 72 hours if the threshold is met, and tell affected individuals if the risk to them is high.
  4. Record it. Log every breach, even the ones you decide not to report, with what happened and why you judged it the way you did. The ICO can ask to see that log.

The part people forget

You must keep a record of all personal data breaches, reportable or not. That log is how you show you took it seriously and learned from it. Decide in advance who makes the call and where the log lives, because 72 hours is not the moment to be inventing a process. A short breach procedure, agreed while it is calm, is worth far more than it looks.

Get your records in order

The Data Protection Register turns plain-English answers into the records the law asks for, and keeps them current. See where you stand with our free check.

This is general information, not legal advice.