--- title: "UK GDPR Breach Notification" canonical_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/breach-notification" source_url: "https://www.sorena.io/artifacts/uk/uk-gdpr/breach-notification" author: "Sorena AI" description: "Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging." keywords: - "UK GDPR breach notification" - "ICO 72 hours" - "article 33 UK GDPR" - "article 34 UK GDPR" - "UK GDPR breach" - "72 hour ICO reporting" - "Article 33 and 34" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # UK GDPR Breach Notification Operational guide to UK GDPR breach notification, including the 72 hour ICO deadline, processor escalation, breach logging. *Incident Response* *UK GDPR* ## UK GDPR Breach Notification Run a breach process that can decide fast, notify the ICO in time, and preserve evidence. Article 33 and 34 duties depend on risk analysis, not on whether the full story is known in the first few hours. The ICO expects a controller to know when it became aware of a breach, whether the breach is notifiable, and what facts were sent in the initial and follow up reports. ## When notification is required A controller must notify the ICO without undue delay and where feasible within 72 hours of becoming aware of a notifiable personal data breach. If more time is needed, the report must explain the delay. - Record the time of awareness and the facts available at that moment - Assess confidentiality, integrity, and availability impacts separately - Decide whether ICO notification is required and who signs off - Keep an internal breach record even when the ICO is not notified *Recommended next step* *Placement: after the workflow or playbook section* ## Turn UK GDPR Breach Notification into an operational assessment Assessment Autopilot can take UK GDPR Breach Notification from operationalizing response workflows and review cycles to a reusable workflow inside Sorena. Teams working on UK GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for UK GDPR Breach Notification](/solutions/assessment.md): Start from UK GDPR Breach Notification and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through UK GDPR](/contact.md): Review your current process, evidence gaps, and next steps for UK GDPR Breach Notification. ## Processor and controller workflow A processor must tell the controller about a breach without undue delay after becoming aware of it. That duty should appear in contracts, on call playbooks, and escalation paths. - Set contract language for processor notice and evidence - Collect categories of data, affected people, systems, and likely consequences - Prepare an initial ICO filing and a follow up evidence pack - Track remediation, root cause, and lessons learned ## Communication to individuals Article 34 requires communication to affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. - Use plain language and tailor advice to the actual harm scenario - Document if encryption or later measures remove the need for direct notification - Retain copies of notices, scripts, and regulator submissions - Review security, vendor, or training changes after the incident ## Primary sources - [ICO personal data breaches guide](https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/?ref=sorena.io) - Article 33 and 34 operational guidance. - [ICO guide to data security](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-to-data-security/?ref=sorena.io) - Article 32 and security principle guidance. - [ICO guide to accountability and governance](https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/guide-to-accountability-and-governance/?ref=sorena.io) - Accountability, records, and contracts guidance. - [UK GDPR on legislation.gov.uk](https://www.legislation.gov.uk/eur/2016/679/contents?ref=sorena.io) - UK legislative text. ## Related Topic Guides - [IDTA vs EU SCCs | UK GDPR Transfer Tool Comparison](/artifacts/uk/uk-gdpr/idta-vs-eu-sccs.md): Compare the UK IDTA, UK Addendum, and EU standard contractual clauses for UK GDPR transfer compliance, contract selection, and transfer risk assessments. - [UK GDPR Applicability Test | Territorial Scope and Roles](/artifacts/uk/uk-gdpr/applicability-test.md): Assess UK GDPR territorial scope, controller or processor role, special category triggers, and UK transfer exposure with a defensible applicability test. - [UK GDPR Checklist | Practical Compliance Checklist](/artifacts/uk/uk-gdpr/checklist.md): Practical UK GDPR checklist for accountability, lawful basis, Article 30 records, processor contracts, rights handling, transfers, and breach readiness. - [UK GDPR Children and Age Appropriate Design](/artifacts/uk/uk-gdpr/children-and-age-appropriate-design.md): Implement the UK Children's Code with grounded guidance on likely to be accessed tests, high privacy defaults, profiling limits, geolocation, age assurance. - [UK GDPR Compliance Program | Operating Model Guide](/artifacts/uk/uk-gdpr/compliance.md): Build a UK GDPR compliance program with accountability, Article 30 records, DPIAs, controller processor contracts, rights operations, transfer controls. - [UK GDPR Data Subject Rights | One Month Response Guide](/artifacts/uk/uk-gdpr/data-subject-rights.md): Operational guide to UK GDPR data subject rights, including access, rectification, erasure, restriction, portability, objection. - [UK GDPR Deadlines and Compliance Calendar](/artifacts/uk/uk-gdpr/deadlines-and-compliance-calendar.md): Calendar view of UK GDPR milestones, including January 1, 2021 applicability, March 2022 transfer tools, one month rights deadlines. - [UK GDPR FAQ | Practical Questions and Answers](/artifacts/uk/uk-gdpr/faq.md): Practical UK GDPR FAQ covering scope, lawful basis, rights timing, breach reporting, transfers, children, and enforcement exposure. - [UK GDPR Penalties and Fines | Enforcement Exposure Guide](/artifacts/uk/uk-gdpr/penalties-and-fines.md): Guide to UK GDPR penalties and fines, including the 17.5 million pounds or 4 percent upper tier, the 8.7 million pounds or 2 percent standard tier. - [UK GDPR Requirements | Control Level Requirements Guide](/artifacts/uk/uk-gdpr/requirements.md): Control level UK GDPR requirements covering principles, lawful basis, transparency, rights, Article 30 records, security, contracts, transfers, and DPIAs. - [UK GDPR Transfers, IDTA, and UK Addendum](/artifacts/uk/uk-gdpr/transfers-idta-and-uk-addendum.md): Detailed UK GDPR international transfers guide covering adequacy, UK IDTA, UK Addendum, transfer risk assessments, vendor governance, and UK bridge reliance. - [UK GDPR vs Data Protection Act 2018](/artifacts/uk/uk-gdpr/uk-gdpr-vs-data-protection-act-2018.md): Compare the UK GDPR and the Data Protection Act 2018, including what the UK GDPR does directly and where the DPA 2018 supplements, restricts, or extends it. - [UK GDPR vs EU GDPR | Practical Comparison](/artifacts/uk/uk-gdpr/uk-gdpr-vs-eu-gdpr.md): Practical comparison of the UK GDPR and EU GDPR, including scope, transfers, regulators, adequacy, and operational divergence for multinational programmes. - [UK vs EU GDPR Differences | Operational Differences List](/artifacts/uk/uk-gdpr/uk-vs-eu-differences.md): Operational differences between the UK and EU privacy regimes, including transfer tools, adequacy lists, regulators, notices, and programme governance. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/uk/uk-gdpr/breach-notification