Prices increase on 1st July 2026 — lock in the current rate now

Data Breach Response Procedure Template for UK Businesses

Under UK GDPR, you have 72 hours to report a serious data breach to the ICO. Without a written procedure, you risk missing the deadline — which can result in additional fines on top of any penalty for the breach itself.

Get Data Breach Procedure — £15 Get all 10 documents — £69

Instant PDF & Word download · 14-day money-back guarantee

What is a data breach response procedure?

A data breach response procedure is a document that sets out exactly what your business does when a personal data breach occurs. It defines who is responsible for managing breaches, how they are assessed, whether they need to be reported to the ICO, and whether affected individuals need to be notified.

Without a written procedure, most businesses either panic and report everything (wasting ICO resources) or fail to report notifiable breaches in time. A clear procedure removes the guesswork and ensures you meet your 72-hour reporting obligation every time.

What your data breach procedure should cover

  • How to identify and contain a breach as quickly as possible
  • Who is responsible for managing the breach response
  • How to assess the risk level and decide whether ICO notification is required
  • The 72-hour notification process for reporting to the ICO
  • When and how to notify affected individuals
  • Internal breach log requirements (all breaches must be documented)
  • Post-breach review to prevent recurrence

Get your data breach procedure today

£15

Data Breach Procedure only

Single document

Get this document
£69

10 docs incl. Privacy Policy & SAR procedure

Professional plan

Get all 10 documents
£99

All 14 compliance documents

Complete plan

Get all 14 documents

Common questions about data breach procedures

Under UK GDPR Article 33, you must report a breach to the ICO within 72 hours of becoming aware of it, if it is likely to result in a risk to individuals' rights and freedoms. The clock starts when you become aware — not when the breach occurred.
A data breach is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This includes sending an email to the wrong person, losing a device containing customer data, a ransomware attack, or an employee accessing records they shouldn't.
Under UK GDPR Article 34, you must notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms — for example, if sensitive financial or health data is exposed. Your breach procedure defines when and how to notify individuals.
Failing to report a notifiable breach within 72 hours can result in ICO fines separate from any penalty for the breach itself. The ICO has specifically fined organisations for failure to report on time. A written procedure dramatically reduces the risk of missing the deadline.

All 14 UK compliance documents

Privacy Policy Data Protection Policy Data Retention Policy Health & Safety Policy Risk Assessment Employee Privacy Notice Cookie Policy CCTV Policy Data Breach Procedure SAR Procedure Acceptable Use Policy Social Media Policy Fire Safety Policy Lone Worker Policy