// Breach Notification

Breach Notification Support

Regulatory notification under UK GDPR, NIS2, and sector-specific frameworks. 72-hour clock management, ICO liaison, and individual notification drafting.

Written by Simon Lynge, Director DFIR — ChCSP, CREST IR | Last updated: March 2026

< 1 Hour Response Global DFIR Specialists 24/7 Support
Get Notification SupportAll Services

All Services

IR Retainer Incident Response Digital Forensics Malware Analysis Ransomware Negotiations Dark Web Monitoring Dark Web Data Recovery Tabletop Exercises Security Assessments Threat Intelligence Cyber Insurance Support M&A Cyber Due Diligence Professional Speaking Expert Witness Services Breach Notification Support

The 72-Hour Clock Starts Now

UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware of a personal data breach — unless the breach is unlikely to result in risk to individuals. That clock starts from first awareness, not from completing your investigation.

Many organisations get this wrong. They wait until the investigation is complete, over-notify on trivial breaches, or under-notify on serious ones. Both mistakes carry consequences — wasted regulatory goodwill or enforcement action. We bring the technical and regulatory expertise to get it right.

What We Provide

  • Notification obligation assessment — is this breach notifiable? To whom? Within what timeframe? We advise based on the specific data involved, the risk to individuals, and applicable regulation.
  • ICO notification management — we prepare and submit Article 33 notifications, manage follow-up requests, and present a coherent, well-documented account of what happened and what you're doing about it.
  • Individual data subject notifications — Article 34 requires notification to affected individuals where there is a high risk to their rights and freedoms. We draft and manage these communications.
  • Multi-regulatory coordination — many organisations are subject to multiple regimes (GDPR, NIS2, PRA, FCA, CQC). We coordinate notification across frameworks to avoid conflicting submissions.
  • Documentation and records — Article 33(5) requires you to document all breaches, whether or not they are notifiable. We ensure your records are complete and defensible.
  • Regulatory liaison — direct engagement with the ICO and other regulators on your behalf where required.

Regulatory Frameworks We Cover

  • UK GDPR and the Data Protection Act 2018
  • NIS and NIS2 Regulations (for operators of essential services and digital service providers)
  • FCA and PRA requirements (financial services)
  • CQC requirements (health and social care)
  • Solicitors Regulation Authority requirements (legal sector)
  • Charity Commission obligations
  • Cross-border EU GDPR notification (where UK organisations process EU residents' data)

Frequently Asked Questions

Do we have to notify the ICO for every breach?

No. You must notify if the breach is likely to result in a risk to the rights and freedoms of individuals. Low-risk breaches (e.g., an email sent to the wrong internal recipient) typically don't require ICO notification — but must still be documented. We help you make the correct assessment.

What if we miss the 72-hour window?

Late notification is better than no notification. The ICO expects you to notify where you have sufficient information — you can supplement a partial notification later. We help you frame a late notification in the most defensible way and advise on likely ICO response.

Can we do this without involving external advisors?

You can, but the risk is getting the assessment wrong — either over-notifying (which creates regulatory relationships and potentially panic-notifying individuals unnecessarily) or under-notifying (which can result in enforcement). External advisors provide a documented, defensible assessment process.

What does the ICO actually do with a notification?

The ICO logs the notification, assesses risk, and may request further information or conduct a preliminary assessment. Most properly-handled notifications result in no further action. The ICO focuses on whether you acted appropriately — external expert support demonstrates exactly that.

Do you handle notifications outside the UK?

We focus on UK GDPR and UK regulatory frameworks. For EU GDPR notifications (where you process data of EU residents), we work with specialist EU data protection lawyers and can co-ordinate the submission.

Facing a Notification Obligation?

The 72-hour clock may already be ticking. Contact us now.

Contact Us

Frequently Asked Questions

How quickly must we notify the ICO of a personal data breach?

Under UK GDPR Article 33, you must notify the ICO within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. This clock starts when you have a reasonable degree of certainty a breach has occurred.

Do we always have to notify affected individuals?

Not always. Individual notification is required under Article 34 only when the breach is likely to result in a high risk to their rights and freedoms. We help you assess the risk level and prepare proportionate notifications when required.

What should an ICO notification include?

The ICO notification must include: nature of the breach, categories and approximate numbers of affected individuals and records, name of your DPO, likely consequences of the breach, and measures taken or proposed to address it and mitigate effects.

Can the ICO fine us for a breach?

The ICO can issue fines of up to £17.5 million or 4% of annual global turnover for serious GDPR violations. However, demonstrating a prompt, well-managed response significantly mitigates enforcement action. Our role is to help you demonstrate exactly that.

Related Insights

🚨 Active Incident? Contact Us Now