SponsoredBuild your website with Vincony

دستبرداری: یہ قانونی مشورہ نہیں ہے۔ قانون سازی اور کیس لاء تبدیل ہوتے رہتے ہیں۔ ہمیشہ اپنی مخصوص صورتحال کے لیے ایک اہل وکیل سے مشورہ کریں۔

UK Law Reference
← All Templates
Data Protection
Data Protection Law
Updated 2026-06-16

ICO Data Breach Notification Letter

Letter to the Information Commissioner's Office (ICO) reporting a personal data breach under UK GDPR Article 33 / DPA 2018.

When to use this template

Use within 72 hours of becoming aware of a personal data breach where there is a risk to the rights and freedoms of natural persons. This is a statutory obligation on data controllers under UK GDPR Article 33. Failure to report a notifiable breach is itself a serious infringement.

When NOT to use this template

Do not use if the breach is unlikely to result in a risk to data subjects (no notification required — but you should still keep an internal record). Do not use as a substitute for notifying affected data subjects directly under Article 34 where required.

Legal Basis

UK GDPR Article 33 (notification to supervisory authority); UK GDPR Article 34 (communication to the data subject); Data Protection Act 2018 s.67. 72-hour clock runs from becoming aware of the breach, not from the breach itself.

Common Mistakes to Avoid

  • Waiting for full information before reporting — initial notifications can be progressive
  • Forgetting to notify the affected data subjects under Article 34 where the breach is likely to result in a high risk
  • Not keeping an internal breach register (mandatory under Article 33(5))
  • Treating containment / forensic investigation as a substitute for ICO notification
  • Failing to identify the breach DPO contact for the ICO to follow up

Build Your Letter

Fill in your details

Complete the fields below. Required fields are marked with *.

Optional fields

Letter preview

[ORGANISATION NAME]
[ORGANISATION REGISTERED ADDRESS]
ICO Registration Number: [ICO REGISTRATION NUMBER]

[TODAY'S DATE]

The Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF

---

**PERSONAL DATA BREACH NOTIFICATION — UK GDPR Article 33**

Reference: [INTERNAL BREACH REFERENCE]

**1. Data controller details**

Organisation: [ORGANISATION NAME]
ICO Registration: [ICO REGISTRATION NUMBER]
Data Protection Officer / contact: [DPO OR DATA-PROTECTION CONTACT NAME], [DPO EMAIL], [DPO PHONE]

**2. Nature of the breach**

Date and time of breach (or first awareness): [DATE/TIME YOU BECAME AWARE OF THE BREACH]
Date and time of containment (if applicable): [DATE/TIME OF CONTAINMENT (IF KNOWN)]

Description of the breach:

[FACTUAL DESCRIPTION OF THE BREACH]

Categories of personal data affected:

[CATEGORIES OF PERSONAL DATA AFFECTED]

Approximate number of data subjects affected: [APPROXIMATE NUMBER OF DATA SUBJECTS AFFECTED]
Approximate number of personal data records concerned: [APPROXIMATE NUMBER OF RECORDS CONCERNED]

**3. Likely consequences**

We assess the likely consequences for affected data subjects as follows:

[LIKELY CONSEQUENCES FOR AFFECTED SUBJECTS]

**4. Measures taken or proposed**

Containment measures already taken:

[CONTAINMENT MEASURES TAKEN]

Remediation measures planned:

[REMEDIATION MEASURES PLANNED]

**5. Communication to data subjects**

[PLAN FOR NOTIFYING AFFECTED DATA SUBJECTS (ARTICLE 34)]

**6. Cross-border element**

[CROSS-BORDER DATA FLOW INVOLVED?]

**Additional information**

[ANY ADDITIONAL INFORMATION]

We will provide further information as the investigation progresses. The point of contact for any follow-up is [DPO OR DATA-PROTECTION CONTACT NAME] at [DPO EMAIL].

Yours faithfully,

[SIGNATORY NAME]
[SIGNATORY ROLE]
[ORGANISATION NAME]

Unfilled fields appear as [FIELD NAME]. Review the letter carefully before sending. This template is a starting point — adapt it to your specific circumstances.

Related Guides