Is This a Data Breach?
Answer 5 questions about a security incident. Get an instant assessment of whether you need to notify the ICO within 72 hours.
What type of incident occurred?
Data Breach FAQ
What counts as a personal data breach under GDPR?
A personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes cyber attacks, lost devices, misdirected emails, and accidental deletion.
When do I need to notify the ICO about a data breach?
You must notify the ICO within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals. The 72-hour clock starts from the moment you become aware, not when the breach occurred.
What happens if I fail to report a data breach?
Failure to notify a reportable breach can result in a fine of up to £8.7 million or 2% of global annual turnover, whichever is higher. The ICO fined MediaLab.AI £247,590 in February 2026 partly for failing to conduct proper breach assessments.
Disclaimer: This tool provides general guidance only and does not constitute legal advice. Every incident is different. When in doubt, notify the ICO — they prefer over-reporting. For professional support with breach response, contact us.