A UK GDPR Data Breach Notification Form is a structured document used by data controllers to formally record and report personal data breaches to the Information Commissioner's Office (ICO) and, where required, to affected individuals. The obligation to notify arises under Articles 33 and 34 of the UK General Data Protection Regulation (UK GDPR), which is the version of the EU GDPR incorporated into UK domestic law by the European Union (Withdrawal) Act 2018 and subsequently amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The Data Protection Act 2018 supplements the UK GDPR and, in particular, Section 108 imposes obligations on processors to notify controllers without undue delay after becoming aware of a personal data breach.

A personal data breach is defined in Article 4(12) of the UK GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Breaches may be categorised as confidentiality breaches (unauthorised disclosure or access), integrity breaches (unauthorised alteration of data), or availability breaches (loss of access or destruction of data). In practice, a single incident may involve elements of all three.

The ICO is the UK's independent supervisory authority for data protection, established under Section 114 of the Data Protection Act 2018. The ICO has extensive enforcement powers, including the ability to impose administrative fines of up to £17.5 million or 4% of global annual turnover for the most serious UK GDPR infringements. The ICO takes a proportionate approach to enforcement and has consistently emphasised that prompt, transparent reporting of breaches is viewed favourably, while delayed or concealed notifications attract more severe regulatory action.

This notification template is designed to help data controllers comply with the mandatory content requirements of Article 33(3), document breaches in accordance with Article 33(5), and assess whether communication to data subjects is required under Article 34. It covers all relevant legislation including the Network and Information Systems (NIS) Regulations 2018 for operators of essential services and relevant digital service providers.

A Data Breach Notification Form is needed whenever a data controller becomes aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons. The risk threshold for ICO notification under Article 33 is lower than the high-risk threshold that triggers individual notification under Article 34, meaning that many breaches require ICO notification but not individual communication.

You need to complete a Data Breach Notification when your organisation experiences an unauthorised access incident, such as a cyber attack, hacking attempt, or ransomware infection that compromises personal data. Modern ransomware attacks typically constitute availability breaches (data encrypted and inaccessible) as well as confidentiality breaches (data exfiltrated prior to encryption), and both aspects must be addressed in the notification.

A notification is also required when an employee accidently sends an email containing personal data to the wrong recipient, discloses a password to an unauthorised person, or loses a device (laptop, USB drive, mobile phone) containing unencrypted personal data. Human error is one of the most common causes of personal data breaches reported to the ICO, and even inadvertent disclosures must be assessed against the notification threshold.

Where a third-party processor (cloud provider, outsourced IT support, payroll bureau) experiences a breach affecting your organisation's personal data, the processor must notify the controller without undue delay under Article 33(2) and Section 108 of the Data Protection Act 2018. The controller is then responsible for assessing whether the breach requires ICO notification within the 72-hour window.

Every breach, including those that fall below the ICO notification threshold, must be documented in the organisation's internal breach register under Article 33(5). This notification form can serve as the basis for that internal documentation. Healthcare providers, financial services firms, telecoms operators, and other regulated organisations may have additional sector-specific breach reporting obligations imposed by their sector regulator alongside UK GDPR obligations.

Organisation and DPO Identification — The notification must clearly identify the data controller by full legal name, registered address, and ICO registration number. The Data Protection Officer's (DPO) contact details must be provided, as the ICO will direct further enquiries to the DPO. Under UK GDPR Article 37, organisations that process special category data on a large scale, conduct large-scale systematic monitoring, or are public authorities must appoint a DPO. Even organisations that are not required to appoint a DPO should designate a named individual responsible for data protection and breach management.

Breach Timeline — The exact date and time of breach discovery must be recorded, as this marks the start of the 72-hour notification window under Article 33(1). The date of occurrence (when the breach actually happened, which may be different from the date of discovery) should also be stated, along with an explanation if there is a significant gap between occurrence and discovery. The ICO requires organisations to explain any delay in notifying beyond the 72-hour deadline.

ICO Notification Status — The form records whether the ICO has been notified and, if so, the ICO reference number assigned. Where notification has been made within 72 hours, this should be confirmed. Where notification is delayed, reasons must be documented. The ICO's online breach notification tool at ico.org.uk allows initial reports to be submitted with limited information, with additional details to follow.

Breach Classification — The type of breach (confidentiality, integrity, availability, or a combination) must be identified in accordance with the UK GDPR Article 4(12) definition. The breach description should provide a clear factual account of what happened, how it was discovered, the systems and data affected, and the likely cause. Factual accuracy is critical — ICO investigations have highlighted cases where inaccurate breach notifications have led to increased regulatory scrutiny.

Categories and Volume of Data — Article 33(3)(a) requires identification of the categories of personal data affected and the approximate number of records and data subjects involved. Special category data (health, biometric, criminal, children's data) attracts heightened risk assessment and may automatically trigger the high-risk threshold for individual notification under Article 34.

Likely Consequences and Risk Assessment — The notification must describe the likely consequences of the breach for affected individuals. The ICO expects a structured risk assessment considering: the type of data involved, the number of individuals affected, the likelihood that harm will materialise, and the severity of that harm. The four key harms the ICO considers are: physical harm, material harm (financial loss, identity fraud), non-material harm (distress, damage to reputation), and loss of control over personal data.

Remediation Measures — The controller must describe both the immediate containment steps taken (isolating affected systems, revoking compromised credentials, patching vulnerabilities) and the longer-term measures to prevent recurrence and mitigate harm to individuals (offering credit monitoring, resetting passwords, notifying individuals to be vigilant against phishing).

Individual Notification — Where the breach presents a high risk to individuals, Article 34 requires direct communication to those individuals without undue delay. The notification must be in clear and plain language and include: the DPO's contact details, the likely consequences, and the measures taken. The method of communication (individual email, letter, SMS, or public announcement) must be appropriate to reach affected individuals effectively.

Cross-Border and NIS Considerations — Where data relating to individuals in other jurisdictions is affected, or where the organisation is an operator of essential services or relevant digital service provider under the NIS Regulations 2018, additional notification obligations to other supervisory authorities may arise. This section of the notification form documents all regulatory notifications made.

Declaration and Signature — The form must be signed by an authorised representative (typically the DPO or senior management) confirming the accuracy of the information and the organisation's ongoing commitment to provide updated information as the investigation proceeds.