Navigating the DUAA: ICO Guidance and...
The Data (Use and Access) Act 2025 is being introduced in stages, with ICO guidance continuing to evolve alongside it....
Read More
On the surface, the requirement appears straightforward. If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, it must be reported to the Information Commissioner’s Office (ICO) within 72 hours of the organisation becoming aware of it. Where the breach presents a high risk and is likely to have a severe impact on those affected, there may also be an obligation to notify the individuals concerned. In practice, however, this is one of the areas where organisations most frequently fall short. Delays, uncertainty and missed reporting obligations are still common, even among otherwise mature organisations.
A major source of confusion is the concept of “awareness”. Many teams assume the 72 hour window begins once a full investigation has been completed. This is not correct.
According to guidance from the ICO, the clock starts when an organisation has a reasonable degree of certainty that a security incident has occurred and that personal data has been compromised. This point can come much earlier than expected, sometimes shortly after initial detection.
The European Data Protection Board reinforces this interpretation, stating that organisations should not wait for full confirmation or complete details before considering themselves “aware” of a breach.
This misunderstanding alone is a key reason why organisations miss the deadline.
Another common issue is the instinct to delay reporting until all the facts are known. From an operational perspective, this is understandable. Teams want to avoid submitting incomplete or inaccurate information.
However, GDPR is clear that this is not required. Under Article 33, organisations can submit an initial notification within 72 hours and provide further details in phases as more information becomes available.
Guidance from the European Union Agency for Cybersecurity emphasises that early notification, even with partial information, is preferable to delayed reporting. The expectation is transparency and timeliness, not perfection.
In reality, waiting for a complete picture often leads to unnecessary delays and, ultimately, non-compliance.
In many organisations, the biggest challenge is not identifying incidents but escalating them quickly enough.
Security or IT teams may detect unusual activity, but it is not always immediately recognised as a potential personal data breach. Without clear thresholds and escalation paths, incidents can sit unresolved while teams assess technical details.
By the time legal or compliance teams are brought in, valuable time has already been lost. The ICO consistently highlights the importance of having internal reporting lines and breach response procedures in place to avoid this scenario.
This is not a technology problem. It is an organisational one.
Modern IT environments add another layer of difficulty. Many organisations rely on third party providers to store or process data. When those providers experience a breach, responsibility does not simply disappear.
If personal data is affected, the organisation acting as the data controller may still have reporting obligations. This often creates delays, as businesses wait for suppliers to confirm what has happened before taking action.
Guidance from both the ICO and the European Data Protection Board makes it clear that organisations cannot rely on third parties alone. They must act based on the information available to them and assess risk independently.
Failing to report a breach within 72 hours is not a minor technicality. Regulators treat it as a serious compliance issue.
The ICO has the power to issue fines and enforcement action where organisations fail to meet their obligations. More importantly, late reporting can increase the risk to affected individuals and damage trust with customers, partners and regulators.
According to the UK Government’s Cyber Security Breaches Survey, a significant proportion of UK businesses continue to experience cyber incidents each year. This makes effective breach handling and timely reporting an essential capability, not a rare edge case.
Organisations that consistently meet the 72 hour requirement tend to approach it differently. They do not treat it as a legal formality. Instead, they build it into their operational processes.
This usually includes clearly defining what constitutes a reportable breach, establishing simple and rapid escalation paths, and ensuring that key teams are aligned before an incident occurs. Regular testing also plays an important role. Exercises and simulations help teams understand their responsibilities and identify gaps before a real breach happens.
The ICO specifically recommends having documented breach response procedures and ensuring staff are trained to recognise and escalate incidents quickly.
At its core, the 72 hour rule is about preparedness. It is a measure of how quickly and effectively an organisation can respond under pressure. If a business struggles to assess, escalate and report a breach within that timeframe, it often points to wider issues in incident response, governance and communication.
GDPR did not introduce the 72 hour rule simply to create another compliance obligation. It was designed to encourage organisations to take breach response seriously and to act quickly when personal data is at risk. For UK organisations, the message is clear. Meeting the 72 hour requirement is not just about avoiding fines. It is about demonstrating that you are capable of managing real-world cyber risk in a timely and responsible way.
AJC supports organisations in strengthening their data protection frameworks, breach response processes and wider governance arrangements. Our Data Protection services help clients review incident procedures, clarify reporting responsibilities and build practical compliance processes that stand up under pressure.
Sources:
https://www.legislation.gov.uk/eur/2016/679/contents
https://www.enisa.europa.eu/about-enisa/data-protection/data-protection
https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2024
Image accreditation: Getty Images for Unsplash.com+. Last accessed on 16th April 2026. Available at: https://unsplash.com/photos/blur-and-defocus-earth-futuristic-technology-abstract-background-illustration-yMEztgOi_Cg
The Data (Use and Access) Act 2025 is being introduced in stages, with ICO guidance continuing to evolve alongside it....
Read More
As fraud tactics continue to evolve, organisations are being forced to rethink security measures that were once seen as standard....
Read More
As part of its Customer Security Programme (CSP), SWIFT has updated its security requirements for clients and released the Customer...
Read More