--- title: "What should teams do about 72-hour Breach Reporting under the UK GDPR?" canonical_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting" source_url: "https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting" author: "Sorena AI" description: "UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "UK GDPR" - "72-hour Breach Reporting" - "UK GDPR 72-hour Breach Reporting" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # What should teams do about 72-hour Breach Reporting under the UK GDPR? UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *UK* *72-hour Breach Reporting* ## UK GDPR 72-hour Breach Reporting 72-hour Breach Reporting decisions under the UK GDPR should be written in operational language: who is in scope, what must happen, what evidence proves it, and when escalation is needed. This guide converts requirements into implementation-ready ownership, evidence, and review decisions. It is practical guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This page maps 72-hour Breach Reporting into a trigger, owner, deadline, required evidence, and review path so legal, privacy, security, and compliance teams can execute consistently. ## What should teams do about 72-hour Breach Reporting under the UK GDPR? Teams should run 72-hour breach reporting as an incident workflow: record when the organisation became aware of a personal data breach, assess whether it is notifiable to the ICO, submit the report without undue delay and where feasible within 72 hours, and keep any delayed or phased-reporting rationale with the incident record. Start with breach facts, affected personal data, likely risk to individuals, containment steps, controller/processor role, ICO notification decision, and whether affected individuals also need to be told. - Record the awareness timestamp before drafting controls or communications. - Assess likelihood and severity of risk to individuals and document the notification decision. - Route uncertain or high-risk cases to privacy, legal, security, and incident-response owners before the 72-hour window closes. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ## What evidence should teams keep for 72-hour Breach Reporting under the UK GDPR? Useful evidence is incident-specific: awareness timestamp, breach facts, affected categories of personal data and people, containment steps, risk assessment, ICO notification decision, ICO submission receipt, delayed-reporting explanation if relevant, and any Article 34 communication decision. - Awareness timestamp, incident timeline, and who made the notifiability decision. - Risk assessment showing likely impact on individuals and any high-risk communication decision. - ICO report copy, submission receipt, updates provided later, and reasons for any delay beyond 72 hours. - Containment, remediation, processor/controller notifications, approval record, and review date. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ## Which mistakes create risk when handling 72-hour Breach Reporting under the UK GDPR? The common failure pattern is treating every security event the same, missing the awareness timestamp, waiting for a complete investigation before reporting a notifiable breach, or failing to separate ICO notification from communication to affected individuals. - Using an old threshold, deadline, source page, or incident template without checking current ICO and UK GDPR wording. - Treating a low-risk decision as a general exemption without recording the risk assessment. - Letting ICO updates, individual communications, or processor notifications sit outside the incident record. Sources for this answer: - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. ## Primary sources - [ICO UK GDPR personal data breach reporting](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/?ref=sorena.io) - ICO breach-reporting guidance supports the operational trigger, ICO notification route, and 72-hour handling expectation for UK GDPR incidents. - Quote: "Organisations must report any personal data breach to us without undue delay and, where feasible, within 72 hours." - [ICO personal data breaches: a guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - ICO guidance explains that notifiable breaches must be reported within 72 hours of awareness and that incomplete information can be supplemented. - Quote: "You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it." - [UK GDPR Article 33 - Notification of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/33?ref=sorena.io) - Article 33 is the binding UK GDPR source for controller notification to the supervisory authority and the 72-hour clock. - Quote: "not later than 72 hours after having become aware of it" - [UK GDPR Article 34 - Communication of a personal data breach](https://www.legislation.gov.uk/eur/2016/679/article/34?ref=sorena.io) - Article 34 supports the separate decision on whether affected individuals must be told when a breach is likely to result in high risk. - Quote: "likely to result in a high risk to the rights and freedoms of natural persons" ## Topic Guides - [UK GDPR 72-hour Breach Reporting Guide](/artifacts/uk/general-data-protection-regulation/72-hour-breach-reporting.md): UK GDPR guidance for 72-hour Breach Reporting, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Adequacy Guide](/artifacts/uk/general-data-protection-regulation/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR AI And Automated Decisions Guide](/artifacts/uk/general-data-protection-regulation/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Applicability Test Guide](/artifacts/uk/general-data-protection-regulation/applicability-test.md): Practical guidance for the UK GDPR applicability test, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Article 30 Records Guide](/artifacts/uk/general-data-protection-regulation/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Notification Guide](/artifacts/uk/general-data-protection-regulation/breach-notification.md): UK GDPR guidance for Breach Notification, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Breach Workflow Guide](/artifacts/uk/general-data-protection-regulation/breach-workflow.md): UK GDPR guidance for Breach Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children And Age Appropriate Design Guide](/artifacts/uk/general-data-protection-regulation/children-and-age-appropriate-design.md): UK GDPR guidance for Children And Age Appropriate Design, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Children's Code Guide](/artifacts/uk/general-data-protection-regulation/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Checklist](/artifacts/uk/general-data-protection-regulation/checklist.md): Practical guidance for the UK GDPR checklist, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance FAQ](/artifacts/uk/general-data-protection-regulation/faq.md): Practical guidance for the UK GDPR FAQ, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Compliance Guide](/artifacts/uk/general-data-protection-regulation/compliance.md): Practical guidance for the UK GDPR compliance, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Controller And Processor Status Guide](/artifacts/uk/general-data-protection-regulation/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Data Subject Rights Guide](/artifacts/uk/general-data-protection-regulation/data-subject-rights.md): UK GDPR guidance for Data Subject Rights, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Deadlines and Compliance Calendar Guide](/artifacts/uk/general-data-protection-regulation/deadlines-and-compliance-calendar.md): UK GDPR guidance for Deadlines and Compliance Calendar, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIA Workflow Guide](/artifacts/uk/general-data-protection-regulation/dpia-workflow.md): UK GDPR guidance for DPIA Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DPIAs And DPOs Guide](/artifacts/uk/general-data-protection-regulation/dpias-and-dpos.md): UK GDPR guidance for DPIAs And DPOs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR DSAR Workflow Guide](/artifacts/uk/general-data-protection-regulation/dsar-workflow.md): UK GDPR guidance for DSAR Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA Addendum and Transfer Risk Assessment Guide](/artifacts/uk/general-data-protection-regulation/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR IDTA vs EU SCCs Guide](/artifacts/uk/general-data-protection-regulation/idta-vs-eu-sccs.md): UK GDPR guidance for IDTA vs EU SCCs, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Lawful Bases Guide](/artifacts/uk/general-data-protection-regulation/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR PECR Cookies Guide](/artifacts/uk/general-data-protection-regulation/pecr-cookies.md): UK GDPR and PECR cookie guidance with practical consent, exemption, evidence, and source-linked implementation decisions. - [UK GDPR penalties and fines Guide](/artifacts/uk/general-data-protection-regulation/penalties-and-fines.md): UK GDPR guidance for penalties and fines, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Requirements Guide](/artifacts/uk/general-data-protection-regulation/requirements.md): Practical guidance for the UK GDPR requirements, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfer Workflow Guide](/artifacts/uk/general-data-protection-regulation/transfer-workflow.md): UK GDPR guidance for Transfer Workflow, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR Transfers, IDTA, and UK Addendum Guide](/artifacts/uk/general-data-protection-regulation/transfers-idta-and-uk-addendum.md): UK GDPR guidance for transfers, IDTA, and UK Addendum, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-differences.md): UK GDPR guidance for UK vs EU Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR UK vs EU GDPR Differences Guide](/artifacts/uk/general-data-protection-regulation/uk-vs-eu-gdpr-differences.md): UK GDPR guidance for UK vs EU GDPR Differences, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs Data Protection Act 2018 Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-data-protection-act-2018.md): UK GDPR guidance for UK GDPR vs Data Protection Act 2018, with practical decisions, evidence, edge cases, and external source citations. - [UK GDPR vs EU GDPR Guide](/artifacts/uk/general-data-protection-regulation/uk-gdpr-vs-eu-gdpr.md): UK GDPR guidance for UK GDPR vs EU GDPR, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Adequacy under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/adequacy.md): UK GDPR guidance for Adequacy, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about AI And Automated Decisions under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/ai-and-automated-decisions.md): UK GDPR guidance for AI And Automated Decisions, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Article 30 Records under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/article-30-records.md): UK GDPR guidance for Article 30 Records, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Children's Code under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/children-s-code.md): UK GDPR guidance for Children's Code, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Controller And Processor Status under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/controller-and-processor-status.md): UK GDPR guidance for Controller And Processor Status, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPIAs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpias.md): UK GDPR guidance for DPIAs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about DPOs under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/dpos.md): UK GDPR guidance for DPOs, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about IDTA addendum and transfer risk assessment under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/idta-addendum-and-transfer-risk-assessment.md): UK GDPR guidance for IDTA addendum and transfer risk assessment, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about Lawful Bases under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/lawful-bases.md): UK GDPR guidance for Lawful Bases, with practical decisions, evidence, edge cases, and external source citations. - [What should teams do about PECR Cookies under the UK GDPR?](/artifacts/uk/general-data-protection-regulation/faq/pecr-cookies.md): UK GDPR guidance for PECR Cookies, with practical decisions, evidence, edge cases, and external source citations. *Recommended next step* *Placement: after the practical guidance* ## Turn UK GDPR 72-hour Breach Reporting into assigned work This UK GDPR guide turns 72-hour Breach Reporting into owners, evidence requests, review checkpoints, and reusable operating records for implementation execution. - [Open Assessment Autopilot for UK GDPR](/solutions/assessment.md): Turn 72-hour Breach Reporting into scoped questions, evidence fields, and review tasks. - [Review UK GDPR source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/general-data-protection-regulation/faq/72-hour-breach-reporting