Personal Data Breach Notification Requirements in Ireland and the UK

Is breach notification a legal obligation in Ireland and the UK?

Yes. In both Ireland and the UK, notifying a personal data breach is a legal obligation, not a matter of discretion. The duty arises from the same source text: Article 33 of the EU GDPR in Ireland (an EU Member State) and the materially identical Article 33 of the UK GDPR following Brexit. A controller must notify the supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The two regimes diverged in form but not in substance. Ireland applies the EU GDPR as supplemented by the Data Protection Act 2018, enforced by the Data Protection Commission (DPC). The UK applies the UK GDPR as supplemented by the Data Protection Act 2018 (UK), enforced by the Information Commissioner's Office (ICO). The 72-hour deadline, the risk threshold, the high-risk threshold for telling individuals, and the duty to keep an internal record of every breach are the same on both sides of the Irish Sea.

For an organisation operating in both jurisdictions, the practical question is rarely whether the duty exists. It is which regulator (or both) must be told, against which clock, and how to evidence the risk decision after the fact. This guide answers those questions for a buyer comparing obligations across the DPC and the ICO.

The 72-hour rule: when the clock starts and what it requires

Under Article 33(1) of the EU GDPR and the identical UK GDPR provision, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The phrase that matters is becoming aware: the clock starts when the controller has a reasonable degree of certainty that a security incident has occurred that compromised personal data, not at the first hint of an anomaly. A short period of investigation to establish whether a breach has in fact happened is permitted before awareness crystallises.

The 72 hours is a calendar-time deadline, including weekends and public holidays, not 72 working hours. If notification is made after 72 hours, it must be accompanied by reasons for the delay (Article 33(1)). Both the DPC and the ICO accept that an organisation may not have all the facts within the window, and both allow an initial notification to be supplemented in phases.

• Article 33(2): a processor that becomes aware of a breach must inform the controller without undue delay; the controller, not the processor, notifies the authority.
• Article 33(4): where it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.
• Threshold to notify the authority: any risk to the rights and freedoms of natural persons. Only a breach that is unlikely to result in a risk is exempt from notification.
• Threshold to notify individuals (Article 34): a likely high risk to those individuals — a deliberately higher bar.

Risk vs high-risk: the two thresholds that decide who you tell

Breach response in both jurisdictions turns on a two-tier risk assessment. The first tier governs whether you must notify the regulator; the second governs whether you must also notify affected individuals. Getting these thresholds right is the single most consequential judgement in the process, because over-notifying floods the regulator and under-notifying is itself an infringement.

Notification to the supervisory authority (DPC or ICO) is required wherever the breach is likely to result in a risk to people. Communication to the affected individuals under Article 34 is required only where the breach is likely to result in a high risk to them — for example exposure of special category data, financial data enabling fraud, or data that could lead to identity theft, discrimination or physical harm. The DPC's breach notification form asks the controller to apply a self-declared risk rating (Low, Medium, High or Severe) and the ICO provides a self-assessment tool; both are aids to the same statutory test, not substitutes for it.

• Unlikely to result in a risk: record it internally, notify no one externally.
• Likely to result in a risk: notify the supervisory authority within 72 hours; assess whether individuals need telling.
• Likely to result in a high risk: notify the supervisory authority AND communicate to affected individuals without undue delay.
• Article 34(3) exemptions from telling individuals: effective encryption rendering the data unintelligible; measures taken that mean the high risk is no longer likely to materialise; or where individual contact would involve disproportionate effort (then a public communication instead).

What a notification to the regulator must contain (Article 33(3))

Article 33(3) sets out the minimum content of a notification to the supervisory authority. The same four headings apply whether you are filing the DPC web form or the ICO report. Where you cannot answer fully at the 72-hour point, file what you have and supplement in phases under Article 33(4) rather than waiting.

• (a) The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
• (b) The name and contact details of the data protection officer or other contact point where more information can be obtained.
• (c) The likely consequences of the personal data breach.
• (d) The measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

Notifying affected individuals (Article 34)

Where the breach is likely to result in a high risk to individuals, Article 34 requires the controller to communicate the breach to those individuals without undue delay. The communication must be in clear and plain language and describe the nature of the breach, and it must contain at least the information in points (b), (c) and (d) of Article 33(3) — the DPO or contact point, the likely consequences, and the measures taken or proposed (including any steps the individual can take to protect themselves).

Both the DPC and the ICO can compel an organisation to notify individuals if the regulator considers the breach high risk and the controller has not done so (Article 34(4)). In practice, the decision to communicate to individuals is a high-stakes judgement that should be documented as carefully as the decision not to: it is exactly the point at which the high-risk threshold is tested.

Record-keeping: the obligation that applies to every breach (Article 33(5))

This is the obligation most often missed. Article 33(5) requires the controller to document all personal data breaches — the facts of the breach, its effects, and the remedial action taken — regardless of whether the breach was notifiable. The DPC and the ICO both confirm that this internal record must exist even where you concluded there was no risk and therefore told no one. The record is what enables the supervisory authority to verify compliance, and an absent or thin breach log is a common finding in regulatory engagement.

A defensible record captures more than the incident itself: it captures the reasoning. Who assessed the risk, against which criteria, what rating was reached, why notification was or was not required, and when each step was taken. This contemporaneous trail is the difference between a confident answer to a regulator and a reconstruction months later.

• Document every breach, notifiable or not — the duty is universal under Article 33(5).
• Capture the facts, the effects, and the remedial action taken.
• Capture the risk decision and its rationale, including the no-risk conclusions.
• Retain the record so the DPC or ICO can verify compliance on request.

DPC (Ireland) vs ICO (UK): a side-by-side comparison

The substantive law is near-identical because both derive from the GDPR text, but the regulators, the reporting channels and some procedural details differ. The table below sets out the practical contrasts a dual-jurisdiction organisation needs. Note the fine rows: a failure to notify under Article 33 or 34 falls into the lower fining tier in both regimes (Article 83(4)), not the headline maximum that applies to the most serious infringements such as breaches of the basic processing principles.

How to file: the DPC web form and the ICO reporting service

Mechanically, the two regulators differ. The DPC requires breaches to be submitted through its online Breach Notification web form, which captures controller details, how the breach was discovered, the security and organisational measures in place beforehand, whether special category data or cross-border data subjects are affected, and the self-declared risk rating. Where the DPC is the lead supervisory authority for a cross-border breach under the GDPR one-stop-shop, the form captures the additional cross-border information.

The ICO operates an online report-a-breach service alongside a self-assessment tool that walks an organisation through whether the incident is notifiable, plus a personal data breach advice line for urgent or out-of-hours queries. In both jurisdictions, an initial notification can be filed on incomplete information and updated in phases under Article 33(4) — filing on time with a phased follow-up is preferable to a late but complete report.

• Ireland: gather controller, discovery, prior-measures and data-category details before opening the DPC web form; keep the DPC case/reference number for any update.
• UK: run the ICO self-assessment first to confirm the breach is notifiable, then file via the ICO report-a-breach service.
• Both: if you cannot complete every field within 72 hours, file a partial notification and supplement it under Article 33(4).

Common pitfalls that turn a breach into an infringement

Most regulatory criticism in this area is not about the underlying security incident — it is about how the organisation responded to it. The recurring failures are procedural and avoidable.

• Starting the clock too late: treating awareness as the moment the investigation finishes rather than the moment a breach is reasonably confirmed.
• Failing the universal record-keeping duty: keeping no Article 33(5) log for breaches assessed as no-risk, leaving nothing for the regulator to verify.
• Confusing the two thresholds: notifying individuals for every risk (causing alarm fatigue) or, worse, withholding notification where high risk plainly applies.
• Relying on a processor to notify the authority: only the controller notifies the DPC or ICO; the processor's duty is to alert the controller without undue delay.
• Forgetting sector overlays: communications providers in the UK have PECR duties, and Irish operators of essential and important entities will have separate NIS2-derived incident-reporting duties on a different timeline.
• Not documenting the risk rationale: a defensible decision needs the who, the criteria, the rating and the timing recorded contemporaneously, not reconstructed.

2026 regulatory developments to watch

The core GDPR breach framework is stable, but the surrounding obligations are moving in both jurisdictions during 2026. None of these changes the 72-hour GDPR rule itself, but they layer additional or aligned duties on top of it.

In the UK, the Data (Use and Access) Act 2025 received Royal Assent on 19 June 2025, with a substantial set of provisions commencing on 5 February 2026 and further provisions following through secondary legislation. Among its measures, it aligns the PECR breach-reporting timeline for public electronic communications service providers toward the GDPR's without-undue-delay / 72-hour model, easing the previous 24-hour Regulation 5A position. Organisations should confirm the precise commencement of provisions relevant to them against the ICO's guidance.

In Ireland, NIS2 (Directive (EU) 2022/2555) is being transposed through the National Cyber Security Bill 2024; transposition was not completed by the EU's 17 October 2024 deadline and remained in progress through 2025, with publication of the Bill treated as a priority into 2026. For in-scope essential and important entities, NIS2 introduces a separate cyber-incident reporting cascade — an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month — which runs in parallel with, and does not replace, the GDPR breach duty owed to the DPC.

Building audit-ready breach readiness (and where Acompli assists)

The organisations that handle breaches well are not the ones that respond fastest in the moment — they are the ones that decided, in advance, how awareness is recognised, who assesses risk, against which criteria, and where the record lives. A 72-hour deadline is unforgiving if the first 24 hours are spent deciding who owns the decision.

Acompli's software is designed to assist this readiness rather than replace the people accountable for it. The platform can help draft a structured breach record aligned to Article 33(3) and 33(5), classify and surface the data categories likely to be affected, route the incident to the right reviewers, and prompt the risk and high-risk assessment so a step is not skipped. Every output is put forward for human review: a DPO, privacy lead or lawyer makes the notification decision and approves what is filed. Acompli does not make autonomous legal judgements and does not file with a regulator on your behalf without sign-off — it is intended to shorten the path to a defensible, well-evidenced human decision.

• Drafts and structures the Article 33 notification content and the Article 33(5) internal record for human review.
• Classifies and surfaces likely-affected data categories to speed the risk assessment a person then confirms.
• Routes incidents to the right reviewers and helps maintain a contemporaneous, exportable decision trail.
• Keeps a human in control: the DPO, privacy lead or legal team approves every notification and every risk decision.

Primary sources

• GDPR Article 33 — Notification of a personal data breach to the supervisory authority
• GDPR Article 34 — Communication of a personal data breach to the data subject
• Data Protection Commission (Ireland) — Breach Notification guidance and web form
• ICO (UK) — Personal data breaches: a guide and report-a-breach service
• Data Protection Act 2018 (Ireland) — Irish Statute Book
• EDPB Guidelines 9/2022 on personal data breach notification under the GDPR (Version 2.0)

Breach notification FAQs for Ireland and the UK