ICO Data Breach Notification Letter
Letter to the Information Commissioner's Office (ICO) reporting a personal data breach under UK GDPR Article 33 / DPA 2018.
When to use this template
Use within 72 hours of becoming aware of a personal data breach where there is a risk to the rights and freedoms of natural persons. This is a statutory obligation on data controllers under UK GDPR Article 33. Failure to report a notifiable breach is itself a serious infringement.
When NOT to use this template
Do not use if the breach is unlikely to result in a risk to data subjects (no notification required โ but you should still keep an internal record). Do not use as a substitute for notifying affected data subjects directly under Article 34 where required.
Legal Basis
UK GDPR Article 33 (notification to supervisory authority); UK GDPR Article 34 (communication to the data subject); Data Protection Act 2018 s.67. 72-hour clock runs from becoming aware of the breach, not from the breach itself.
Common Mistakes to Avoid
- โWaiting for full information before reporting โ initial notifications can be progressive
- โForgetting to notify the affected data subjects under Article 34 where the breach is likely to result in a high risk
- โNot keeping an internal breach register (mandatory under Article 33(5))
- โTreating containment / forensic investigation as a substitute for ICO notification
- โFailing to identify the breach DPO contact for the ICO to follow up
Build Your Letter
Fill in your details
Complete the fields below. Required fields are marked with *.
Optional fields
Letter preview
[ORGANISATION NAME] [ORGANISATION REGISTERED ADDRESS] ICO Registration Number: [ICO REGISTRATION NUMBER] [TODAY'S DATE] The Information Commissioner's Office Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF --- **PERSONAL DATA BREACH NOTIFICATION โ UK GDPR Article 33** Reference: [INTERNAL BREACH REFERENCE] **1. Data controller details** Organisation: [ORGANISATION NAME] ICO Registration: [ICO REGISTRATION NUMBER] Data Protection Officer / contact: [DPO OR DATA-PROTECTION CONTACT NAME], [DPO EMAIL], [DPO PHONE] **2. Nature of the breach** Date and time of breach (or first awareness): [DATE/TIME YOU BECAME AWARE OF THE BREACH] Date and time of containment (if applicable): [DATE/TIME OF CONTAINMENT (IF KNOWN)] Description of the breach: [FACTUAL DESCRIPTION OF THE BREACH] Categories of personal data affected: [CATEGORIES OF PERSONAL DATA AFFECTED] Approximate number of data subjects affected: [APPROXIMATE NUMBER OF DATA SUBJECTS AFFECTED] Approximate number of personal data records concerned: [APPROXIMATE NUMBER OF RECORDS CONCERNED] **3. Likely consequences** We assess the likely consequences for affected data subjects as follows: [LIKELY CONSEQUENCES FOR AFFECTED SUBJECTS] **4. Measures taken or proposed** Containment measures already taken: [CONTAINMENT MEASURES TAKEN] Remediation measures planned: [REMEDIATION MEASURES PLANNED] **5. Communication to data subjects** [PLAN FOR NOTIFYING AFFECTED DATA SUBJECTS (ARTICLE 34)] **6. Cross-border element** [CROSS-BORDER DATA FLOW INVOLVED?] **Additional information** [ANY ADDITIONAL INFORMATION] We will provide further information as the investigation progresses. The point of contact for any follow-up is [DPO OR DATA-PROTECTION CONTACT NAME] at [DPO EMAIL]. Yours faithfully, [SIGNATORY NAME] [SIGNATORY ROLE] [ORGANISATION NAME]
Unfilled fields appear as [FIELD NAME]. Review the letter carefully before sending. This template is a starting point โ adapt it to your specific circumstances.