Compliance & GDPR
A data breach is one of the most serious challenges any organisation can face. The moment you discover that personal data has been compromised, the clock starts ticking. Under UK GDPR and the Data Protection Act 2018, you are legally required to report a data breach to the ICO (Information Commissioner's Office) within 72 hours if there is a risk to individuals' rights and freedoms. Missing this deadline or mishandling the notification process can result in substantial fines, reputational damage, and loss of client trust. For London-based SMBs, professional services firms, legal practices, and financial advisers, understanding exactly how to report a breach swiftly and accurately is not optional—it's essential to your compliance framework.
Before you pick up the phone or draft an email to the ICO, it's crucial to understand when a breach actually constitutes a reportable event. The Data Protection Act 2018 and UK GDPR define a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed."
The key question is not whether a breach has occurred, but whether it poses a risk to individuals' rights and freedoms. The ICO's guidance emphasises that you should consider factors such as:
If there is a real risk to individuals' rights and freedoms, you must report to the ICO. There is no exemption for small businesses or low-risk sectors, although the ICO recognises proportionality in assessment. For professional services and legal firms handling client data, the threshold is typically low—any unauthorised access to client information should prompt immediate reporting consideration.
The 72-hour deadline is absolute and unforgiving. It runs from the moment you become aware of the breach, not from when you first discover it was possible. In practice, this means your incident response team must move quickly to assess the situation, gather evidence, and prepare your notification.
Many organisations assume the 72-hour window is tight because it is, but it is also designed to give you enough time to conduct a basic assessment without requiring a forensic investigation. The ICO understands that you may not have all the details at the time of reporting. You are permitted to report what you know at that moment and provide further information as your investigation progresses.
To meet the deadline reliably, establish a clear internal timeline immediately upon discovering the breach:
This timeline works only if your organisation has designated a data protection lead or incident response coordinator in advance. If you lack this internal resource—a common situation in smaller professional services firms—engage external support immediately. Specialists such as VantagePoint Networks can assist with breach assessment, evidence gathering, and ICO notification, ensuring you meet compliance deadlines while you focus on business continuity.
Before you contact the ICO, ensure you have collected the following core information:
The ICO accepts breach reports via their online notification portal, by email, or by telephone. For urgent breaches affecting large numbers of people or sensitive data, telephone notification (0303 123 1113) is the fastest option and allows you to speak directly with a compliance officer. The ICO team can provide immediate guidance on your specific circumstances.
If you report by email, use: casework@ico.org.uk with the subject line "Personal Data Breach Notification." Include all the information listed above, even if some details remain preliminary. The ICO expects further updates as your investigation continues.
Once you have submitted your initial report, the ICO will allocate a case reference number and assign a case officer. This officer will contact you within a few working days to discuss the breach in more detail, request additional information, and advise on next steps. They may ask you to provide a formal breach investigation report within 30 days, depending on the severity and nature of the incident.
Notifying the ICO is only half the task. Under Article 34 of UK GDPR, you must also notify individuals affected by the breach without undue delay, unless the risk to their rights and freedoms is low (for example, because the data is encrypted or the breach affected no actual individuals).
Your notification to individuals should be clear, prompt, and include practical advice on how they can protect themselves. For professional services firms and financial advisers, this is also an opportunity to demonstrate transparency and rebuild trust. A delayed or poorly worded notification will amplify reputational damage far more than the breach itself.
Document all of your breach response actions: notifications sent, individuals contacted, remediation measures implemented, and internal policy changes made. This documentation is essential if the ICO investigates further or if individuals raise complaints. It also demonstrates good faith and can significantly influence any enforcement decision.
Data breaches are inevitable in an interconnected world, but your response to them defines your organisation's resilience and integrity. By understanding the ICO's requirements, acting within the 72-hour window, and notifying individuals promptly, you transform a crisis into a manageable compliance event. The time to prepare is now—before a breach occurs.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →