Short answer: A data breach must be reported to the Information Commissioner’s Office (ICO) within 72 hours, unless it is unlikely to result in a risk to the rights and freedoms of the individuals affected. The report should include details of who and how many people are affected, the types and amount of personal data compromised, contact information for your data protection officer or responsible contact, the potential consequences of the breach, and the mitigation measures taken. If the breach poses a high risk, the affected individuals must also be informed.
What to do after a data breach
Clearly, nobody wants their company to be involved in a data breach. However, if you do end up in this situation, responding properly can reduce your liability and help salvage your reputation. Therefore, make sure you plan for how you will handle data breaches. One of the most important components in that plan will be how you notify your customers and other affected. Let’s talk about how to write a data breach letter.
Did you know that data leaks that include personal data lead to customer loss and impact on business sustainability?
Ponemon Institute
When should I report a breach to the authorities?
According to GDPR, you must report any data breach that is likely to result in a risk to the rights and freedoms of individuals within 72 hours. As soon as you realise you’ve had a data breach, perform a risk assessment. Try to determine:
- How many people were affected
- What types of personal data were affected
- What are the risks for people’s privacy
- How you will respond
Gathering this information will help you properly notify your local data protection authority. Note that the 72-hour timeframe starts from the moment you become aware of the breach, you do not get extra time to complete your investigation. Putting off reporting a breach can result in further fines and penalties.
Start your privacy cleanup with the big picture
A GDPR Risk Assessment gives you a complete overview of files containing privacy risk in your company.
What should I say when I notify the authorities?
When you notify the supervisory authority that you have had a data breach, always include:
- Who was affected (customers, employees, etc.), and how many people were affected.
- What types of personal records were breached and approximately how many.
- The contact information for your DPO or another contact person.
- An assessment of any likely consequences of the breach for people affected.
- What you’ve done or propose to do to mitigate potential harm from the breach.
Now, let’s talk about when you should notify people affected and how to do it properly.
When should I notify people affected?
GDPR article 34 states that when a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, you should notify the data subjects it may affect, without undue delay.
It does mention a few exceptions where you may not need to notify individuals of the breach. For example:
- If the personal data involved in the breach was protected with encryption or other measures that make it unintelligible to unauthorised persons.
- If, after the breach, you took subsequent measures to ensure that it is no longer likely to cause a high risk to the rights and freedoms of data subjects.
- When notifying people individually would involve disproportionate effort. In that case, you can publish a public communication or similar measure to inform data subjects effectively.
If you think one of these exceptions applies to you, you can wait to see if the supervisory authority requires you to inform people of the breach. On the other hand, if your own risk assessment shows that the data breach is likely to put people at risk, it is best to let them know right away. Again, this will reduce your liability in the long run. Further, it will help protect the people whose data was breached.
Get our Newsletter!
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
What to say in a data breach letter to customers?
Your data breach notification letter to customers should give them a clear, easy to understand description of what happened and what you are doing about it. It should also tell them what they can do to protect themselves. Before drafting your letter, prepare answers to the following questions:
- When was the breach and what exactly happened?
- Will there likely be consequences or harm for the person?
- What have I already done and plan to do to protect them?
- What will I do to prevent this from happening again?
- Are there things the person can do to protect themselves?
- Who should they contact for more information?
- How can they lodge a complaint?
Once you have prepared the answers to these questions, you are ready to draft your letter. Remember to be transparent. Take accountability for the breach. Finally, make it clear that your company takes people’s privacy seriously and that you will continue to do all you can to protect it.
FAQ on Reporting a Data Breach
1. When must a data breach be reported?
Within 72 hours of becoming aware of it – unless it is unlikely to result in a risk to individuals’ rights and freedoms.
2. What if we haven’t completed our investigation within 72 hours?
You must still report the breach based on the information available at the time – and provide further details as they become available.
3. Who should we contact in the UK?
In the UK, data breaches must be reported to the Information Commissioner’s Office (ICO).
4. What happens if we fail to report a breach that should have been notified?
This can result in fines, enforcement action – and potentially serious reputational damage.
Data breach letter template
Try adapting this data breach letter template to report a privacy breach incident to affected people:
Subject: Important: Personal Data Breach Notification
Dear [First Name],
We are writing to inform you that your personal data may have been involved in a recent security incident.
What happened?
On [date], we identified a data breach involving [brief, clear description – e.g. “unauthorised access to an employee email account due to a phishing attack”]. We acted quickly to contain the incident and launched an internal investigation.
What information was affected?
Our analysis shows that the following types of personal data may have been affected:
- [e.g. Full name, email address, home address, telephone number, account reference, etc.]
What information was not affected?
Importantly, we can confirm that the following categories of personal data were not involved:
- [e.g. Payment card details, passwords, National Insurance number, health records]
What have we done?
We take this incident very seriously. In response, we have:
- Contained the breach and closed the vulnerability
- Notified the Information Commissioner’s Office (ICO)
- Launched a full internal investigation
- Strengthened relevant security controls
- Engaged with external cybersecurity support (if applicable)
What can you do?
Depending on the type of data involved, we recommend the following:
To reduce the risk of identity fraud:
- Be alert to suspicious emails or calls requesting personal information
- Do not click links or download attachments from unknown sources
- Change your passwords, especially if reused across platforms
- Enable two-factor authentication where available
To protect your financial accounts:
- Monitor your bank and credit card statements for unusual activity
- Report any suspicious transactions to your provider immediately
- Consider contacting credit reference agencies (e.g. Experian, Equifax, TransUnion) for support or a credit freeze
Need help or want to talk?
If you have any questions or concerns, you can contact:
[Name]
[Data Protection Officer / Privacy Lead]
[Email] | [Phone]
If you are not satisfied
If you are unhappy with how we have handled this situation or wish to make a complaint, please email us at [your complaints email address].
You also have the right to contact the UK’s data protection authority:
Information Commissioner’s Office (ICO)
www.ico.org.uk
Telephone: 0303 123 1113
We are committed to protecting your personal data and will continue to monitor and improve our security measures. We sincerely apologise for any concern or inconvenience this may cause.
Yours sincerely,
[Full name]
[Job title]
[Company name]
Detect, contain, and report breaches on time
With more and more records in company storage, it is getting harder and harder to keep track of them and be sure they are really safe. If you do not have visibility on your files, you will not be able to spot problems on time. Performing regular data inventories can help. But, combing through your files manually is not a realistic solution. Instead, use an automated data inventory tool to perform this task quickly, regularly, and with high accuracy.
DataMapper can help you:
- See what personal data you have and where you store it.
- Find out who on your team has access to personal data you store.
- Spot data you’ve kept too long that may create unnecessary liability.
- Show customers and data authorities that you are doing your part to prevent, detect, and report breaches on time.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
