SponsoredBuild your website with Vincony

Disclaimer: This is not legal advice. Legislation and case law change. Always consult a qualified solicitor for your specific situation.

UK Law Reference
All Guides
Data Protection
5 steps
Updated 2026-04-09
UK-wide

Reporting a Personal Data Breach to the ICO

How to report a personal data breach or data protection complaint to the Information Commissioner's Office.

Overview

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 protect your personal information. If an organisation has lost your data, shared it without your consent, processed it unlawfully, or refused to comply with your data rights (such as a Subject Access Request), you can complain to the Information Commissioner's Office (ICO). The ICO is the UK's data protection regulator — it has power to investigate, issue enforcement notices, and levy fines of up to £17.5 million. You can also seek compensation in court under Article 82 UK GDPR.

Who Can Use This Process

  • You are likely eligible to use this guide if your situation involves reporting a personal data breach to the ico.
  • You have a genuine legal basis for the matter (contract, tort, statutory right, etc.).
  • You have made reasonable attempts to resolve the matter directly with the other party first.

Step-by-Step Process

1

Complain to the Organisation First

Before approaching the ICO, complain directly to the organisation that has mishandled your data. All organisations subject to the UK GDPR must have a process for handling data protection complaints and must have a Data Protection Officer (if they process data at scale). Write a clear letter explaining: what personal data is involved, how it was mishandled, which data protection principle was breached, and what you want the organisation to do. Give them a reasonable period to respond (28 days).

Timeframe: Allow 28–30 days for the organisation to respond
Practical Tips
  • For NHS bodies, request the Data Protection Officer's contact details from the organisation's website
  • For large companies, the DPO contact is often in the organisation's Privacy Policy
  • Keep all correspondence and note the date you submitted the complaint
  • If the issue is a failure to respond to a Subject Access Request, the organisation must respond within 30 days of the request
2

Gather Your Evidence

Before submitting your ICO complaint, gather: copies of the data mishandled, your original request or complaint to the organisation, the organisation's response (or evidence of non-response), any evidence of harm (financial loss, distress, damaged reputation), and any relevant context (screenshots, emails, letters). The stronger your evidence, the more likely the ICO is to investigate.

Practical Tips
  • Keep originals safe — send copies to the ICO
  • If sensitive personal data (health, financial, biometric) was involved, make this clear — breaches of these categories attract more regulatory attention
  • Quantify any financial loss or distress where possible
  • For SAR failures, calculate the exact number of days the organisation was in breach of the 30-day obligation
3

Submit Your Complaint to the ICO

Submit your complaint using the ICO's online complaint form at ico.org.uk. The form asks: who you are complaining about, what happened, what you asked the organisation to do, and what their response was. Attach your supporting documents. The ICO will assess whether your complaint falls within its jurisdiction and whether it is a priority matter for investigation. Not all complaints result in a formal investigation — the ICO focuses on systemic issues and serious breaches.

Timeframe: Submit within 3 months of the organisation's final response
Practical Tips
  • The ICO complaint form is at ico.org.uk/make-a-complaint
  • You have 3 months from the organisation's final response to submit your ICO complaint (or 3 months from when the issue occurred, if no response was received)
  • Be concise and focused — ICO caseworkers review many complaints; a clear, well-organised complaint gets more attention
  • The ICO cannot award you compensation — for that, you need a court claim under Article 82 UK GDPR
4

Work with the ICO Investigation

If the ICO accepts your complaint for investigation, a caseworker will contact both you and the organisation. They may ask for further information. Respond promptly and provide everything asked. The ICO may decide to take informal action (directing the organisation to comply with the law), issue a formal enforcement notice, or — in serious cases — levy a fine. You will be notified of the outcome.

Timeframe: ICO investigations can take 3–18 months
Practical Tips
  • The ICO's outcome may be a 'reprimand' or an 'enforcement notice' rather than a fine — but these are still significant regulatory actions
  • If the ICO closes the case without the outcome you wanted, you can request an internal review of the decision
  • ICO decisions can be challenged by judicial review — but this is rarely warranted for individual complaints
  • The ICO's investigation may produce findings or evidence useful for a subsequent civil claim for damages
5

Consider a Civil Claim for Compensation

The ICO cannot award you compensation. If you have suffered material damage (financial loss) or non-material damage (distress, anxiety) as a result of the data breach, you can bring a claim in the County Court under Article 82 UK GDPR and s.168 Data Protection Act 2018. For distress-only claims, Vidal-Hall v Google [2015] established that non-material damage is sufficient. The 6-year limitation period applies to civil data protection claims.

Timeframe: Civil claim: 6-year limitation period from the date of the breach
Practical Tips
  • A successful ICO investigation significantly assists a civil claim — use the ICO's findings as evidence
  • Small claims track is available for data protection claims under £10,000
  • Specialist data protection solicitors can advise on CFA (no win no fee) funding for significant claims
  • For serious breaches involving sensitive data, claims of £1,000–£5,000 for distress are not unusual

Costs

ICO complaintFree
Civil claim for compensation (if needed)Court fees from £35; CFA may be available

Important Warnings

The ICO cannot award you compensation — it is a regulator, not a compensation body. Only a court can award damages.

Not all ICO complaints result in investigation — the ICO prioritises systemic issues and serious breaches. A single complaint about a minor issue may be noted but not actively investigated.

The limitation period for civil claims under Article 82 UK GDPR is 6 years — do not allow the ICO complaint process to run past this deadline without protecting your legal position.

Useful Links

Frequently asked questions

How long does the reporting a personal data breach to the ico process take?
The end-to-end timeline depends on which stage you're at. Common steps run on these timeframes: "Allow 28–30 days for the organisation to respond"; "Submit within 3 months of the organisation's final response"; "ICO investigations can take 3–18 months"; "Civil claim: 6-year limitation period from the date of the breach". Add court / counterparty response time on top — disputed matters can run months longer than the bare minimum.
How much does it cost?
Main outlays are: ICO complaint — Free; Civil claim for compensation (if needed) — Court fees from £35; CFA may be available. Court fees often qualify for Help with Fees remission if you're on a low income. Solicitor fees are extra and vary widely — many matters can be done as a litigant in person.
What are the most common mistakes to avoid?
Watch out for: The ICO cannot award you compensation — it is a regulator, not a compensation body. Only a court can award damages.; Not all ICO complaints result in investigation — the ICO prioritises systemic issues and serious breaches. A single complaint about a minor issue may be noted but not actively investigated.; The limitation period for civil claims under Article 82 UK GDPR is 6 years — do not allow the ICO complaint process to run past this deadline without protecting your legal position.. If you're unsure on any of these, get advice from a regulated solicitor or a free service like Citizens Advice before acting.
Where can I find the official forms and guidance?
The official sources are: ICO — Make a Complaint; ICO — Data Breach; UK GDPR — Article 82. Always use the forms / guidance from the issuing authority's own site — third-party copies can be out of date.
Can I do this myself without a solicitor?
Yes — many people complete this kind of matter as a litigant in person. The site walks through each step in plain English. A solicitor is recommended if: large sums are at stake, the other side has legal representation, the matter involves criminal liability, children, immigration, or you're unsure on any procedural deadline. Free advice is available from Citizens Advice, Law Centres, and (for some matters) LawWorks pro bono clinics.

Part of our Online Harm, Privacy and Reputation hub

Defamation, harassment, data protection, Online Safety Act, and intimate image abuse — civil and criminal routes.