According to the Cyber Security Breaches Survey 2025(nuova finestra), more than 93% of businesses and 95% of charities were targeted by phishing attacks in 2025, with many organizations affected multiple times.

Globally, the types of data most often leaked are names and email addresses (in 9 out of 10 breaches), followed by phone numbers, passwords, and sensitive data, according to research conducted for our Data Breach Observatory

Small businesses are particularly vulnerable: 1 in 4 get hacked despite their cybersecurity measures.


In the light of all this, businesses and security professionals must be prepared and aware of their reporting obligations to keep operations secure and compliant.

In the UK, reporting personal data breaches to the Information Commissioner’s Office (ICO) is more than a legal duty; it is a key procedure that shapes public trust, protects individuals, and influences the outcome of a data breach for affected organizations.

In this guide, we’ll explore what qualifies as a reportable breach, how breaches are regulated in the UK, and practical steps (based on real-world experience) to help businesses tackle reporting head-on.

What qualifies as a data breach in the UK?

When and how to report a data breach to the ICO

What are the common challenges in data breach reporting?

What are the best practices for preparing for breach reporting?

How Proton Pass for Business can reduce your breach risks

Keep your business prepared

What qualifies as a data breach in the UK?

A data breach in the UK refers to any security incident that results in the accidental or unlawful loss, destruction, alteration, unauthorized disclosure of, or access to, data. According to the ICO’s guidance, a breach happens when data has been stored poorly or put at risk, whether the event has been caused by human error, technical faults or criminal acts.

Some of the situations that can lead to data breaches include:

  • An email containing sensitive information sent to the wrong recipient
  • Loss or theft of a device storing unencrypted personal details
  • Accidental deletion or corruption of important files
  • Malware(nuova finestra) infections that allow outsiders to access employee records
  • Physical files being lost or left in public areas

These situations are an important reminder that breaches are not limited to hacking incidents. In practice, simple mistakes, such as a misplaced invoice or wrongly addressed letter, can be just as serious under the law.

That is, the impact isn’t limited to big events. If any real risk to people’s rights or freedoms — like identity theft, fraud or reputational harm — arises, you’re likely to be dealing with a reportable breach. In other words, even a small oversight can have a big impact.

When and how to report a data breach to the ICO

According to the ICO’s requirements(nuova finestra), a personal data breach that is likely to result in a risk to people’s rights and freedoms must be reported within 72 hours from becoming aware of it. Failing to report it can result in fines of up to 2% of worldwide turnover for not reporting. In addition, the maximum fine for data breach in the UK is 4%.

For organizations that act as trust service providers under UK eIDAS(nuova finestra), specific rules apply(nuova finestra): if a breach has a significant impact on provided services, the ICO must be notified within 24 hours and users must be informed as soon as possible.

But how do you know if a breach reaches the reporting threshold? The key test is risk. Ask yourself: could this incident cause physical, material or non-material harm to individuals? If the answer is “possibly,” action is necessary.

Here’s how to report a data breach in the UK step-by-step:

  1. Identify and contain the breach quickly. Take immediate action to minimize harm — for example, revoke access, isolate affected systems, or reset exposed credentials.
  2. Assess the risk. Who is impacted and how? Consider the type and amount of personal data involved, how easy it is to identify individuals, as well as any possible consequences.
  3. Keep record of everything. Even if you decide not to report, you are legally required to keep a record of breaches, your investigations, and the rationale behind your decision.
  4. Complete the ICO’s online reporting form. The following information is requested:
    • A description of what happened and how it was detected
    • Date and time of breach discovery
    • The categories and approximate number of individuals and records involved
    • Likely outcomes and actions taken to address the issue
    • Preventive measures that were in place
    • Contact details of your Data Protection Officer (DPO) or lead report handler
  5. Communicate with affected individuals if there is a high risk to their rights or freedoms. This isn’t just best practice — the General Data Protection Regulation (GDPR) and Data Protection Act require you to take this action.

Since it’s a legal requirement, businesses must not hesitate in reporting these events, even if they believe the situation might be solved. Regardless of the type of breach and its extension, timely notification can actually show the ICO that your company takes accountability and mitigation seriously. Moreover, compliance with the ICO’s reporting requirements helps your business to build trust, both with customers and with regulators.

The ICO’s personal data breach reporting(nuova finestra) page covers all the nuances and may help you to identify a critical situation and act accordingly.

What are the common challenges in data breach reporting?

Despite clear legal requirements, businesses often falter for the same reasons. Here’s where the trouble usually starts:

  • Delayed or missed reports. Sometimes, teams aren’t sure who is responsible for reporting, or they don’t discover the breach until it’s already too late. The result? ICO penalties and damaged credibility.
  • Lack of complete information. Reporting too soon – without gathering key facts – can leave gaps in the report or trigger follow-up questions from the ICO.
  • Poor internal communication. Sensitive issues can get “stuck” in one department, rather than being escalated to the appropriate contact or DPO.
  • Inadequate records. Some businesses have little or no evidence of how the breach was handled, even after addressing the primary issue. This leaves them exposed to regulatory scrutiny.
  • Staff uncertainty or lack of training. If employees don’t know what qualifies as a breach, or if they are unsure about reporting procedures, incidents can slip through the cracks.

Every incident looks a bit different, but the absence of a clear response framework always makes things worse. This is why a structured reporting playbook matters just as much as the technical controls. Also, it’s worth keeping in mind that preparation beats panic, every time.

What are the best practices for preparing for breach reporting in the UK?

The following practices (and a few chosen tools) lay a solid foundation, making regulatory compliance less of a fire drill and more of a controlled process.

1. Establish incident detection and documentation

It all starts with awareness. Set up alerts for suspicious activity, and encourage employees to report any strange emails, missing data, or unauthorized access right away. Once an incident is suspected:

  • Document who, what, where, when, and how
  • Keep logs and screenshots for your records
  • Retain evidence, even if you later discover it’s a false alarm

Documenting early details ensures you have a solid foundation for reporting and post-incident analysis.

2. Keep access and credential use under review

Because passwords and access tokens can open the door to sensitive data, controlling credentials is one of the fastest ways to detect breaches and limit damages. Regular audits reveal shared or reused passwords, missing 2FA, dormant accounts or unauthorized privilege escalation.

These access reviews should be:

  • Regularly scheduled, not ad hoc
  • Comprehensive, covering admin, cloud, local systems and vendor accounts
  • Backed by a tool that tracks credential usage, changes, and activity with detailed logs

Proton Pass for Business is a secure business password manager that offers several features to help businesses to prevent these breaches, including password health monitoring, customisable team policies and beach alerts.

This approach, with the right tools, reduces the risk of a credential-related breach and helps to quickly identify what went wrong in case an incident happens.

3. Set up internal reporting workflows

Clear communication beats chaos, and a simple path for incident escalation is the response your company needs for efficient beach reporting. Here’s an example of a smooth workflow:

  • All staff report suspected incidents to a central security mailbox or responsible officer
  • With the submitted information, incidents are investigated and triaged fast by a dedicated team
  • Then, a named individual, such as the DPO, decides about making the final reporting call

A simple incident flowchart, shared in onboarding and reminders, works wonders. Make reporting easy and implement a stigma-free culture because if team members fear repercussions, they’ll hide mistakes instead of reporting them.

4. Invest in staff awareness and regular training

The Cyber Security Breaches Survey 2025(nuova finestra) confirms that phishing remains the leading cause of breaches (experienced by 85% of surveyed businesses). To face this reality, training employees to spot red flags — from suspicious emails to social engineering attempts — is one of the cheapest and most effective actions.

A bite-sized approach supported by real-world examples can enhance your training. Furthermore, update your training content as often as possible, and avoid relying on generic courses that aren’t applicable to your industry or your organizational setup.

5. Assess and record breach impacts objectively

The best route to judge if a breach is reportable is risk assessment. It’s essential to document:

  • Types of data lost, and whether it’s sensitive (health, financial, minors’ data, etc.)
  • How easily affected individuals could be identified
  • What harm could result (identity theft, embarrassment, financial loss, etc.)

Acting early and writing down your assessment shows the ICO that you took the situation seriously.

6. Practice breach response drills

To stage mock breaches is an old-fashioned tabletop exercise capable of making a real difference. It highlights hidden gaps, reveals workflow snags, and tests the escalation process before the real thing happens.

The outcome? Not just compliance reinforcement, but a team who knows what to do (and why) under pressure.

7. Leverage secure access management and prevention-focused tools

Compromised passwords remain a primary risk. That’s why secure password management is not a core part of incident prevention and response. Solutions like Proton Pass for Business greatly limit exposure during breaches by automating credential rotation, monitoring password health, and making it much harder for phishing to succeed.

You can explore further strategies and tool explanations in the Proton cybersecurity resources, especially if you are reviewing your own toolkit.

How Proton Pass for Business can reduce your breach risks

Businesses of every size are vulnerable to data breaches. In fact, according to research conducted by Proton, SMBs may be the most vulnerable of all. But with the right tools, any business can reduce their breach risks: Proton Pass for Business addresses both technical and compliance challenges.

  • End-to-end encryption protects users’ credentials at rest and in transit. Even if infrastructure is compromised, the data remains inaccessible to attackers.
  • Password Health Check improves the security of the business network. Weak or reused passwords are identified and notified to enhance security.
  • Dark Web Monitoring tracks leaked credentials and sends alerts. Active scanning throughout the dark web allows you to identify breaches and reduce potential damage.
  • Customisable, enforceable team policies establish a stronger password management. Strict and adaptable password, 2FA, and data sharing policies enforce access security according to your organization’s needs.
  • Central admin tools, automated reporting, and credential sharing controls mean changes can be implemented in minutes, not days.
  • Open-source code and regular independent audits build trust. Security controls aren’t just claims – they can be verified by anyone.

By focusing on user empowerment, open security and ease of deployment, Proton aligns with a privacy-first approach. This helps you build a workplace culture where breach resilience is baked into your everyday workflows.

For organizations ready to move toward secure access management as part of a breach-preparedness program, Proton’s business password manager is a natural fit; especially if compliance, usability, and transparency rank high on your checklist.

For example, Novalytica shares plenty of logins with clients and was looking for a secure way to perform this task. Proton Pass for Business addressed their needs with a complete solution for sharing information and logins with customers, ensuring security and traceability.

If you’re interested in practical tips for introducing secure credentials and breach reporting at scale, explore some detailed examples on the Proton business resources for cybersecurity page as well.

Keep your business prepared

Knowing how to file a data breach report in the UK is key for business compliance, trust and survival. The difference between a damaging disaster and a managed incident often comes down to preparation, communication, and using the right blend of people, processes, and secure technologies.

Building clear internal workflows, practicing incident drills, as well as prioritizing secure tools like Proton Pass for Business, are powerful actions that help to meet reporting deadlines or avoid fines. Additionally, these good practices strengthen governance at every level, build accountability, and assure both your customers and the ICO that you’re serious about doing the right thing, even in difficult moments.

If you want to stay one step ahead, learn more about Proton’s mission for digital freedom and see how privacy-first tools can help your business. We invite you to explore our solutions for enterprises and join a movement putting people — not just profits — at the center of cybersecurity.

Frequently asked questions about data breaches in the UK

What is a data breach in the UK?

A data breach in the UK is any incident where personal data is lost, disclosed, altered or accessed without authorization, whether this happens through accident, cyberattack, or carelessness. It matters if there is a risk to people’s rights or freedoms: this is the threshold for deciding if you must report the breach to the Information Commissioner’s Office (ICO).

How do I report a data breach to the ICO?

You must use the ICO’s online reporting form, supplying key details about the breach: what happened, when, how many people and records are involved, and what steps you have taken or plan to take to contain the fallout. The organization’s Data Protection Officer or another responsible official should usually submit the report within 72 hours of discovery (24 hours for organizations that act as trust service providers under UK eIDAS).

When should I notify the ICO of a breach?

You should notify the ICO as soon as possible, and no later than 72 hours after becoming aware of the breach, if the incident is likely to put people’s rights and freedoms at risk. Failing to meet this deadline can result in additional regulatory penalties and loss of public trust.

What information is needed to report a breach?

The ICO asks for a full description of the breach, time and date of discovery, the nature and volume of personal data impacted, number of affected individuals or records, what harm may result and actions taken to contain the breach. A point of contact for follow-up is also requested. If all information isn’t available within 72 hours, you should submit the report anyway, updating the ICO later when you have more details.

Are all data breaches reportable to the ICO?

No, not every breach is reportable. You must report only those incidents where personal data is involved and where there is a real risk to people’s rights or freedoms. However, even non-reportable breaches must be logged internally in case the ICO reviews your records in the future.