What Is a Data Breach? A Plain-English Guide for Small Businesses & Charities

Something has happened. Maybe a laptop has gone missing. Maybe an email landed in the wrong inbox. Maybe you’ve just discovered that a member of staff has been accessing customer records they had no reason to look at. And now you’re wondering: does this count as a data breach? Do I need to report it? And to whom?

These are the right questions to be asking, and this article answers them directly. No jargon, no worst-case scaremongering, just what the law actually says, and what you need to do.

Under UK GDPR, a personal data breach is defined as a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

In plain English: a breach is any incident where personal data, which is information that could identify a living person, is affected in a way it shouldn’t be. That could mean data being lost, stolen, accidentally deleted, sent to the wrong person, or accessed by someone who had no right to see it.

It does not have to involve a cyber attack. It does not have to involve technology at all. A box of paper client records left on a train is a data breach. An email sent to a hundred customers with everyone’s address visible in the CC field is a data breach. A disgruntled former employee accessing systems after their account should have been closed is a data breach.

The common thread is personal data being exposed or handled in a way it shouldn’t have been, regardless of whether anyone intended that to happen.

Here is the part that most people don’t realise: not every data breach has to be reported to the ICO. The reporting obligation is triggered by risk specifically, the risk to the rights and freedoms of the individuals whose data was involved.

Under UK GDPR, you must report a breach to the ICO if it is likely to result in a risk to people’s rights and freedoms. If that risk is unlikely, you do not have a reporting obligation but you do still need to document the breach internally.

In practice, breaches that are likely to meet the reporting threshold include:

• Loss or theft of unencrypted devices containing personal data (laptops, phones, USB drives)
• Emails containing sensitive personal information sent to the wrong recipient
• A cyber attack that has accessed or exfiltrated personal data
• Accidental publication of personal data on a website or shared platform
• Unauthorised access to customer or employee records by a third party
• Ransomware that has encrypted personal data you can no longer access

Lower-risk incidents may not meet the reporting threshold. Examples include:

• An internal email sent to the wrong colleague where the data involved is limited and not sensitive, and where you can be confident it has been deleted without being shared further
• Temporary loss of access to personal data that is quickly recovered with no evidence of external access
• Accidental deletion of data that is immediately restored from backup

The main thing to ask in each case is: could this realistically cause harm to the people whose data was involved? Harm means things like financial loss, discrimination, damage to reputation, or significant distress. If the answer is genuinely no, the risk threshold may not be met.

When in doubt, document it and get advice. The ICO’s own guidance is clear that it would rather hear about a breach that turns out not to need reporting than not hear about one that did.

If a breach does need to be reported, UK GDPR requires you to notify the ICO within 72 hours of becoming aware of it.

That phrase,becoming aware, carries a lot of weight. The clock does not start when you have completed your investigation. It does not start when you are certain of the full extent of what happened. It starts when you have reasonable grounds to believe that a breach has occurred.

In practice, this means the moment you think “this might be a breach” is roughly the moment the clock starts, not the moment you can prove it.

72 hours is not a long time when you are also dealing with the incident itself, managing staff, communicating with customers, and trying to understand the full picture. This is why having even a basic process in place before something happens makes an enormous difference.

If the 72-hour window passes before you can submit a full notification, you can still report but you will need to explain the delay. The ICO takes a more sympathetic view of organisations that report late than those that don’t report at all.

If a breach is likely to result in a high risk to individuals for  example, if sensitive data such as financial details, health information, or passwords has been exposed, you may also need to notify the affected individuals directly, without undue delay. This is a separate obligation
on top of notifying the ICO, and the threshold for it is higher: likely high risk, not just possible risk.

If something has just happened and you’re trying to work out where you stand, run through these questions:

Is personal data involved? If no personal data is affected, UK GDPR breach obligations don’t apply (though other obligations may).

Is the risk to affected individuals unlikely? If you can genuinely say there is no realistic risk of harm, and document why, you may not have a reporting obligation. Record the incident internally regardless.

Is the risk possible or likely? Report to the ICO within 72 hours. You don’t need to have all the answers before you report, you can submit an initial notification and update it as more information becomes available.

Is the risk high? Report to the ICO and consider whether you need to notify the affected individuals directly.

If you’re not certain which category you’re in, which is most of the time in the first hour, the right default is to act as if reporting may be required and work backwards from there. Starting the process costs nothing. Failing to report when you should have carries real regulatory risk.

If you think a breach may have occurred, the immediate priority is containment, stopping whatever is happening from getting worse, followed by assessment, then notification if required.

Document everything from the start. When was the breach first noticed? Who noticed it? What personal data appears to be involved? What have you done in response? This log is essential for the ICO notification if you need to make one, and for your own records if you don’t.

Check your cyber insurance policy if you have one. Many policies include access to specialist breach response support, and early notification is usually a condition of cover.

If personal data belonging to customers, staff, or other individuals is involved, the ICO’s online reporting tool is at ico.org.uk/report-a-breach. You don’t need to have the full picture before you start, an initial report can be submitted and supplemented later.

The first hour of any potential breach is when you have the most control over how it develops. Calm, structured action in that window makes everything that follows significantly more manageable.

• ICO: Report a breach
• ICO: Personal data breaches guidance
• GDPR in Plain English
• The Data (Use and Access) Act 2025
• What to Do in the First Hour of a Cyber Attack

This article explains how the framework works in general terms. For advice specific to your organisation, the ICO’s guidance at ico.org.uk is the authoritative starting point, and if you’re dealing with an active incident, a qualified data protection adviser is the right call.