What Is a Data Breach Protocol?
A data breach protocol is a documented procedure for identifying, containing, assessing, and reporting a personal data breach in compliance with UK GDPR's 72-hour notification requirement.
Key Takeaways
- A personal data breach must be reported to the ICO within 72 hours of you becoming aware of it, if it poses a risk to individuals.
- High-risk breaches must also be reported directly to the affected individuals without undue delay.
- Having a documented breach protocol before a breach occurs is essential — 72 hours is very little time.
- Not every data incident is a reportable breach — you must assess the risk to individuals' rights and freedoms.
What a personal data breach is
Under UK GDPR, a personal data breach is defined as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' This covers a very wide range of incidents: a laptop containing customer data stolen or lost, an email sent to the wrong recipient, a cyberattack that exfiltrates personal data, an employee accidentally deleting a customer database, or a supplier exposing your client data through inadequate security. Not every breach is reportable — you must assess the risk to individuals' rights and freedoms. If the breach is unlikely to result in any risk to individuals (for example, encrypted data on a lost device with a strong recovery process), it does not need to be reported to the ICO, but it must still be internally documented.
The 72-hour notification requirement
If you determine that a personal data breach is likely to result in a risk to the rights and freedoms of individuals — for example, risk of identity theft, financial loss, discrimination, or reputational damage — you must notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. The 72-hour clock starts when any person in your organisation becomes aware of a breach — not when the data protection officer or senior management is told. This is why having a clear internal escalation path is critical. If you cannot provide full details within 72 hours, you can submit an initial notification and follow up with additional information — this is preferable to missing the deadline. The ICO provides an online breach report form at ico.org.uk.
What to include in your breach protocol
A practical data breach protocol for an SME does not need to be complex. It should cover: how staff should identify and report a suspected breach internally (and to whom); who is responsible for assessing the severity of the breach and making the reportability decision; the criteria for assessing risk to individuals (using the ICO's published guidance); the process for notifying the ICO within 72 hours; when and how to notify affected individuals; how to contain the breach and prevent further exposure; and how to document the incident and the decisions made. The documentation requirement is important: even non-reportable breaches must be recorded in your internal breach log, which the ICO may ask to review during an investigation or audit.
Practical steps to reduce breach risk
The best breach response is prevention. SME-level technical measures that significantly reduce breach risk include: using strong, unique passwords and multi-factor authentication (MFA) on all business accounts; encrypting devices and external storage media; using a reputable business email platform with anti-phishing protections; implementing role-based access controls (staff should only access data they need for their role); ensuring data processing agreements are in place with all third-party processors; and providing basic data protection awareness training to all staff. The ICO's enforcement data consistently shows that the most common causes of reportable breaches in SMEs are phishing attacks, data sent to wrong recipients, and unencrypted lost devices — all of which are preventable with appropriate controls and training.