Data Breach Notification Requirements: What You Must Do (2026)

What Counts as a Personal Data Breach?

A personal data breach is not limited to hackers stealing your database. Under the GDPR, a breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This definition is broader than most people realise.

Common examples include:

• A cyber attack that exposes customer email addresses and passwords
• An employee accidentally emailing a spreadsheet of customer data to the wrong recipient
• A laptop containing unencrypted personal data being stolen or lost
• Ransomware locking access to personal data, even if no data is exfiltrated
• A software bug that temporarily makes user accounts accessible to other users
• Improper disposal of paper records containing personal information

The key point is that a breach does not require malicious intent. An accidental exposure counts just the same as a deliberate attack under most data protection laws.

GDPR Breach Notification: The 72-Hour Rule

Under Articles 33 and 34 of the GDPR (and the UK GDPR), data controllers have strict obligations when a personal data breach occurs.

Notification to the Supervisory Authority

You must notify the relevant supervisory authority — the Information Commissioner’s Office (ICO) in the UK, or the relevant data protection authority in the EU — within 72 hours of becoming aware of the breach. This is not 72 hours from when the breach occurred, but from when you first became aware of it.

The notification is only required if the breach is likely to result in a risk to the rights and freedoms of the individuals whose data was affected. In practice, most breaches involving personal data meet this threshold. The only exception is where the breach is unlikely to result in any risk — for example, if encrypted data was lost but the encryption key was not compromised.

If you cannot provide full details within 72 hours, you may:

• Provide an initial notification with the information you have
• Follow up with additional details as your investigation progresses
• Explain the reasons for any delay

Notification to Affected Individuals

If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those individuals directly, without undue delay. The communication must be in clear, plain language and must describe:

• The nature of the breach
• The name and contact details of your data protection officer (if you have one) or another contact point
• The likely consequences of the breach
• The measures you have taken or propose to take to address the breach, including measures to mitigate its effects

UK ICO Breach Notification: Step by Step

If you are a UK-based organisation or process UK residents’ data, the ICO is your supervisory authority. Here is the process:

• Step 1: Contain the breach. Take immediate action to stop the breach and limit its impact. This might mean shutting down a compromised system, revoking access credentials, or isolating affected servers.
• Step 2: Assess the risk. Determine what data was affected, how many individuals are involved, and what the likely consequences are. Consider the sensitivity of the data — financial information and health records carry higher risk than email addresses alone.
• Step 3: Report to the ICO. Use the ICO’s online breach reporting tool at ico.org.uk. You will need to provide details of the breach, the data involved, the number of individuals affected, and the measures you have taken. Submit within 72 hours of becoming aware of the breach.
• Step 4: Notify affected individuals. If the breach poses a high risk to individuals, contact them directly via email, letter, or other appropriate means. Do not use the breached communication channel if it has been compromised.
• Step 5: Document everything. The GDPR requires you to maintain a record of all breaches, regardless of whether they were reported to the ICO. This record must include the facts of the breach, its effects, and the remedial action taken.

US State Breach Notification Laws

The United States does not have a single federal data breach notification law (though proposals continue to be debated in Congress). Instead, all 50 states, the District of Columbia, and US territories have enacted their own breach notification statutes. This creates a complex patchwork of requirements.

Key Differences Between States

• Notification timelines vary significantly. Some states require notification within 30 days (e.g., Colorado, Florida), while others specify 45, 60, or 90 days. Several states have no specific deadline, requiring only notification “without unreasonable delay.”
• Definition of personal information differs. Some states only cover names combined with Social Security numbers, financial account numbers, or driver’s licence numbers. Others have expanded definitions that include biometric data, health information, email credentials, and geolocation data.
• Attorney General notification. Many states require you to notify the state Attorney General in addition to affected individuals, particularly when the breach exceeds a certain threshold (often 500 or 1,000 individuals).
• Safe harbour provisions. Some states provide a safe harbour if the breached data was encrypted, rendering it unreadable without the decryption key.

California CCPA/CPRA Breach Requirements

California has some of the most stringent data breach requirements in the US. Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Consumers whose unencrypted and unredacted personal information was subject to unauthorised access and exfiltration, theft, or disclosure may bring a private right of action against the business
• Statutory damages range from $100 to $750 per consumer per incident, or actual damages, whichever is greater
• The California Attorney General can bring civil actions with penalties of up to $2,500 per violation or $7,500 per intentional violation
• Businesses must implement and maintain “reasonable security procedures and practices” to avoid liability

The combination of statutory damages and a private right of action makes California breaches particularly costly. A breach affecting 10,000 California residents could result in damages of $1 million to $7.5 million even before considering actual harm.

What Your Privacy Policy Should Say About Data Breaches

Your privacy policy should include a clear section on data breach procedures. While you do not need to reveal your entire incident response plan, you should cover:

• Your commitment to protecting personal data with appropriate security measures
• A statement that you will notify affected individuals and relevant authorities in the event of a breach, in accordance with applicable law
• The timeframes within which you will provide notification (e.g., “within 72 hours of becoming aware of a qualifying breach”)
• How you will communicate breach notifications (email, post, public notice)
• Contact details for individuals to reach you with questions about a breach

This transparency builds trust with your users and demonstrates compliance to regulators.

Breach Notification Checklist

When a breach occurs, use this checklist to ensure you cover all critical steps:

• Contain the breach immediately — stop ongoing unauthorised access
• Assemble your incident response team (IT, legal, communications)
• Document the breach: what happened, when, what data was affected, how many individuals
• Assess the risk level: low, medium, or high risk to affected individuals
• If GDPR/UK GDPR applies: notify the ICO or relevant authority within 72 hours
• If high risk to individuals: notify affected persons directly without undue delay
• Determine which US state laws apply (if you have US users) and meet their timelines
• Preserve evidence for forensic investigation and potential legal proceedings
• Review and strengthen security measures to prevent recurrence
• Update your internal breach register with full details of the incident and response
• Conduct a post-incident review and update your breach response plan

Consequences of Failing to Notify

The penalties for failing to comply with breach notification requirements can be severe:

GDPR Fines

Failure to notify a breach to the supervisory authority can result in administrative fines of up to €10 million or 2% of annual global turnover, whichever is higher. For the more serious infringements (failing to notify individuals of a high- risk breach), fines can reach €20 million or 4% of annual global turnover. The ICO has actively used these powers, issuing multi-million pound fines to organisations including British Airways and Marriott International.

FTC Actions (US)

The Federal Trade Commission can take enforcement action against companies that fail to maintain reasonable data security or that misrepresent their security practices. Settlements have included multi-year compliance monitoring, mandatory security audits, and substantial financial penalties.

Class Action Lawsuits

Particularly in the US, data breaches frequently trigger class action lawsuits. The Equifax breach in 2017 resulted in a $700 million settlement. Even smaller breaches can lead to costly litigation, especially in California where the CCPA provides a private right of action with statutory damages.

Reputational Damage

Beyond financial penalties, a poorly handled breach erodes customer trust. Studies consistently show that consumers are more likely to forgive a breach if the company responds transparently and promptly. Delayed or hidden notifications cause significantly more reputational harm.

How to Prepare: Building a Data Breach Response Plan

The best time to plan for a breach is before one happens. Every organisation that processes personal data should have a documented breach response plan that includes:

• Clear roles and responsibilities. Who leads the response? Who communicates with regulators? Who handles media inquiries? Who manages technical containment?
• Detection and escalation procedures. How will you identify a breach? What monitoring tools are in place? Who should be alerted first?
• Assessment criteria. A framework for quickly determining the severity and scope of a breach, and whether regulatory notification is required.
• Notification templates. Pre-drafted templates for notifying regulators and affected individuals, so you are not writing from scratch during a crisis.
• Communication plan. How and when you will communicate with customers, employees, media, and business partners.
• Third-party contacts. A list of external resources: legal counsel, forensic investigators, PR consultants, and relevant regulatory contacts.
• Regular testing. Conduct tabletop exercises at least annually to ensure your team knows the plan and can execute it under pressure.

Protect Your Business with the Right Privacy Policy

A well-drafted privacy policy is your first line of defence in a data breach scenario. It demonstrates to regulators that you take data protection seriously, it sets clear expectations with your users, and it provides the framework for your notification obligations.

LegalForge generates privacy policies that include proper data breach disclosure clauses, tailored to the jurisdictions you operate in — whether that’s the UK, EU, US, or all three. Answer a few questions about your business, and receive a comprehensive, legally informed policy in under 60 seconds.