Personal Data Breach Notification Requirements in Ireland and the UK
In both Ireland and the UK, a personal data breach that is likely to result in a risk to people must be reported to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. This guide sets out the deadlines, thresholds and content rules for the DPC and the ICO side by side.

- Article 33(2): a processor that becomes aware of a breach must inform the controller without undue delay; the controller, not the processor, notifies the authority.
- Article 33(4): where it is not possible to provide all the information at the same time, the information may be provided in phases without undue further delay.
- Threshold to notify the authority: any risk to the rights and freedoms of natural persons. Only a breach that is unlikely to result in a risk is exempt from notification.
- Threshold to notify individuals (Article 34): a likely high risk to those individuals — a deliberately higher bar.
- Unlikely to result in a risk: record it internally, notify no one externally.
- Likely to result in a risk: notify the supervisory authority within 72 hours; assess whether individuals need telling.
- Likely to result in a high risk: notify the supervisory authority AND communicate to affected individuals without undue delay.
- Article 34(3) exemptions from telling individuals: effective encryption rendering the data unintelligible; measures taken that mean the high risk is no longer likely to materialise; or where individual contact would involve disproportionate effort (then a public communication instead).
- (a) The nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
- (b) The name and contact details of the data protection officer or other contact point where more information can be obtained.
- (c) The likely consequences of the personal data breach.
- (d) The measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.
- Document every breach, notifiable or not — the duty is universal under Article 33(5).
- Capture the facts, the effects, and the remedial action taken.
- Capture the risk decision and its rationale, including the no-risk conclusions.
- Retain the record so the DPC or ICO can verify compliance on request.
| Ireland — DPC (EU GDPR + DPA 2018) | UK — ICO (UK GDPR + DPA 2018 (UK)) |
|---|---|
| Supervisory authority: Data Protection Commission (DPC) | Supervisory authority: Information Commissioner's Office (ICO) |
| Governing law: EU GDPR + Data Protection Act 2018 (Ireland) | Governing law: UK GDPR + Data Protection Act 2018 (UK) |
| Deadline to notify authority: without undue delay, where feasible within 72 hours | Deadline to notify authority: without undue delay, where feasible within 72 hours |
| How to report: DPC online Breach Notification web form (forms.dataprotection.ie); follow-ups quote the DPC case/reference number | How to report: ICO online report-a-breach service plus a self-assessment tool; personal data breach advice line for urgent or uncertain cases |
| Risk thresholds: notify the DPC on any likely risk; tell affected individuals on likely high risk (Article 34) | Risk thresholds: notify the ICO on any likely risk; tell affected individuals on likely high risk (Article 34) |
| Self-assessment aid: self-declared risk rating on the form (Low / Medium / High / Severe) | Self-assessment aid: ICO self-assessment tool that walks you through whether the breach is notifiable |
| Special sectors: separate NIS2 cyber-incident reporting duties pending via the National Cyber Security Bill 2024 (transposition still in progress) | Special sectors: PECR Regulation 5A applies to public electronic communications service providers (now aligned toward the 72-hour GDPR model by the DUAA 2025) |
| Recent volume: 7,781 valid breach notifications received by the DPC in 2024 (up around 11% on 2023) | Recent volume: 12,412 personal data breach reports received by the ICO in 2024/25 |
| Fines for failing to notify (Article 33/34): lower tier under Article 83(4) — up to EUR 10m or 2% of global annual turnover, whichever is higher. The EUR 20m / 4% maximum (Article 83(5)) applies to the most serious infringements. | Fines for failing to notify (Article 33/34): standard maximum under DPA 2018 s.157 — up to GBP 8.7m or 2% of global annual turnover, whichever is higher. The GBP 17.5m / 4% higher maximum applies to the most serious infringements. |
- Ireland: gather controller, discovery, prior-measures and data-category details before opening the DPC web form; keep the DPC case/reference number for any update.
- UK: run the ICO self-assessment first to confirm the breach is notifiable, then file via the ICO report-a-breach service.
- Both: if you cannot complete every field within 72 hours, file a partial notification and supplement it under Article 33(4).
- Starting the clock too late: treating awareness as the moment the investigation finishes rather than the moment a breach is reasonably confirmed.
- Failing the universal record-keeping duty: keeping no Article 33(5) log for breaches assessed as no-risk, leaving nothing for the regulator to verify.
- Confusing the two thresholds: notifying individuals for every risk (causing alarm fatigue) or, worse, withholding notification where high risk plainly applies.
- Relying on a processor to notify the authority: only the controller notifies the DPC or ICO; the processor's duty is to alert the controller without undue delay.
- Forgetting sector overlays: communications providers in the UK have PECR duties, and Irish operators of essential and important entities will have separate NIS2-derived incident-reporting duties on a different timeline.
- Not documenting the risk rationale: a defensible decision needs the who, the criteria, the rating and the timing recorded contemporaneously, not reconstructed.
- Drafts and structures the Article 33 notification content and the Article 33(5) internal record for human review.
- Classifies and surfaces likely-affected data categories to speed the risk assessment a person then confirms.
- Routes incidents to the right reviewers and helps maintain a contemporaneous, exportable decision trail.
- Keeps a human in control: the DPO, privacy lead or legal team approves every notification and every risk decision.
Where Acompli fits for breach readiness
Best for privacy teams that need the breach decision to be a defensible record, not a reconstructed incident note: Acompli structures the Article 33(3) notification fields and the Article 33(5) internal log, prompts the risk and high-risk assessment, records who approved the decision, and keeps each step exportable for a DPC or ICO review. The software assists the workflow; the notification judgement stays with the DPO, privacy lead or lawyer.
See Acompli risk management workflows
Primary sources
- GDPR Article 33 — Notification of a personal data breach to the supervisory authority
- GDPR Article 34 — Communication of a personal data breach to the data subject
- Data Protection Commission (Ireland) — Breach Notification guidance and web form
- ICO (UK) — Personal data breaches: a guide and report-a-breach service
- Data Protection Act 2018 (Ireland) — Irish Statute Book
- EDPB Guidelines 9/2022 on personal data breach notification under the GDPR (Version 2.0)