Last Updated On 28th April 2025. Your personal data may have been involved in a data breach which caused you great distress or financial loss. You may want to report your concerns to the relevant regulatory body but be unsure of how long you have to do so. That is why we have prepared this guide on how long do you have to report a data breach to the Information Commissioner’s Office (ICO).
The ICO is the UK’s independent body for protecting information rights. We will explain how to report personal data breaches to them and the time limits for doing so. You will also find information on the time limits for making a data breach claim and some examples of evidence you can use to support a claim.
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, data controllers, usually organisations that use your personal data and data processors who may be used to process it on their behalf, have legal obligations to protect it. Failing to do so can result in data breaches.
Finally, you can read about the No Win No Fee agreements our highly experienced data breach solicitors can offer their services under and all the benefits this can bring to you.
You can ask any questions about the time limits in data breach claims by contacting our advisors. Not only can the team provide further guidance, but they can assess the validity of your potential claim for absolutely no cost. You can speak with our advisors at any time using any of the contact information provided below:
- Call us on 0800 073 8801.
- Contact us through our website using our online form.
- Click the live chat window to talk to an advisor in real time
Browse Our Guide
- How Long Do You Have To Report A Data Breach?
- How To Report A Breach Of Data Protection
- The Time Limit For A Data Breach Claim
- How Do You Prove A Data Breach Claim?
- How Many Data Breaches Have Been Reported?
- Do Data Breach Solicitors Offer No Win No Fee Services?
- Learn More About How Long You Have To Report A Data Breach
How Long Do You Have To Report A Data Breach?
A personal data breach is defined as a security breach that results in the loss, unauthorised disclosure of, alteration, accidental or unlawful destruction, or access to, personal data. Personal data is any information that can be used to directly or indirectly identify a living individual. Examples include your name, contact details such as your phone number and your address. Some personal data is deemed to be of higher sensitivity and classed as special category data. Examples of this include data relating to health, race and ethnic origin and religious or philosophical beliefs.
When a data breach occurs that affects your rights and freedoms, the data controller must inform you of this without undue delay. They must do this through a letter of notification. This allows you to open up correspondence with them regarding the breach of your data.
However, if you suspect an organisation has breached your data, you can write to them stressing your concerns and asking them whether or not this is the case.
In both lines of communication, if you are not satisfied with the response that you receive from the organisation, wait no longer than three months from your last meaningful communication to make a data breach report to the ICO. However, the ICO can exercise their discretion in reports made after this time period.
Knowing what to do after receiving notification that your personal data has been breached can seem incredibly daunting. If you have questions about how long you have to report a data breach to the ICO or for a free assessment of your eligibility to claim compensation, contact our advisors with any queries using the contact details we have included above.
How To Report A Breach Of Data Protection
Following a breach of your personal data, you may be wondering how to report a data breach to the ICO. Before you make a report to the ICO, they will expect you to have opened communications with the organisation first to try and resolve the issue. You should allow the organisation one month to investigate and resolve the issue. You can chase the organisation if you think they are failing to respond and escalate your complaint if need be.
It is not required that you report a data breach to the ICO prior to making a claim. However, should you decide to make such a report, it should be done no longer than 3 months after your last communication with the organisation that processed your data. To report a data breach or raise a concern to the ICO, you can use their website to complain online. Before you make the report, they ask that you have all the required information for them to assess your complaint accurately.
The report will need to include:
- Details about the breach – an overview of the data breach: date and time it happened and when you were informed.
- Notification letter – you can send any communication you have had with the organisation, including the letter of notification if you have received one.
- Details of the organisation – contact details of the organisation will need to be included.
- Your contact details – these will be needed for correspondents with the ICO, or you can request that this happen through another party.
Read our data breach FAQ guide to learn about the data breach claims process. Then, speak to our advisors with questions or to have your eligibility to claim assessed. The team is available 24/7 using the contact information given above.
The Time Limit For A Data Breach Claim
For most personal data breaches, a claim should be started within 6 years. In some circumstances, however, the limitation period can change. For example, if the case involves human rights, the limitation period is reduced to 1 year.
To find out more about the time limit for your particular data breach, talk to our advisors today. Our friendly and highly experienced team are available 24 hours a day using the contact information provided below.
How Do You Prove A Data Breach Claim?
Now that we’ve examined how long you have to report a data breach, this section looks at the evidence you can use to support a potential data breach claim.
The evidence will be used to show the impact losing personal data had on you, both in terms of financial losses as well as any psychological injury you may have experienced. We have provided some examples of evidence you could use here:
- The data controller should notify all data subjects affected by the data breach if their rights and freedoms have been put at risk. This can be done by a letter or email.
- In certain data breach cases, such as where a family court sent a letter to the wrong address, you may need to relocate. You could be compensated for the costs associated with changing your address.
- Medical records showing the psychiatric harm you have experienced.
- Your payslips can be used to show a loss of earnings if you need time off work to recover.
You may find it beneficial to work with a solicitor. Talk to one of our friendly advisors for an assessment of your eligibility to claim. If eligible, the team could connect with one of our highly experienced data breach solicitors. A solicitor could not only provide support by helping collect evidence but also make sure your claim is made within the relevant time limit.
How Many Data Breaches Have Been Reported?
In 2024, 12,193 data breaches were reported to the ICO. Of course, this does not mean that all reported incidents were eligible for data breach compensation. However, there are many instances where an organisation’s failure to comply with data breach laws can make them liable for a breach.
The most common causes of data breach reports in 2024 include:
- 21% of reports involving data that was emailed to an incorrect recipient
- 10% of reported breaches resulting from an unauthorised party accessing data
- 10% of reports were due to phishing attacks (this refers to spam emails or messages sent by a party pretending to be a reputable company or person with the intention of gaining access to personal data)
- 7% of reported cases were caused by a failure to redact personal data
- 5% of reports related to ransomware (this is a form of cyberattack which prevents you from accessing your data and device)
Please do not hesitate to contact our advisory team if you would like more information on how common data breaches are and whether you may be eligible to claim compensation. Each claim is unique, so they can answer queries that could be specific to your claim, such as ‘How long do you have to report a data breach?’.
Do Data Breach Solicitors Offer No Win No Fee Services?
At Accident Claims, our specialist data breach solicitors can offer their services on a No Win No Fee basis with a Conditional Fee Agreement (CFA). To find out if you’re eligible to begin a data breach claim, speak to an advisor for your free assessment today.
Instructing a solicitor under a CFA means claimants enjoy some notable benefits. First of all, you won’t pay any initial fees to the solicitor for them to begin working on your claim. You will similarly not pay for this work during the actual claims process. And thirdly, should the claim fail, you will not be paying a fee to the solicitor.
In the event your data breach claim is a success, you will receive a compensation payout. Your lawyer will deduct a percentage of the total award as a success fee. Success fees are legally capped at 25% by The Conditional Fee Agreements Order 2013. What this means is claimants who win their cases get to keep the majority of their compensation.
You can ask any questions about the time limits in data breach claims by contacting our advisors. Not only can the team provide further guidance, but they can assess the validity of your potential claim for free. Talk to an advisor today using any of the contact information provided here:
- Call us on 0800 073 8801.
- Contact us through our website using our online form.
- Click the live chat button to speak to an advisor in real time
Learn More About How Long You Have To Report A Data Breach
You can read some of our other guides relating to data breach claims here:
- Find out how you report a data breach to the ICO by reading this useful guide.
- Learn your rights after a school data breach with this guide.
- You may entitled to compensation following a social services data breach. Find out more here.
- The ICO, the data protection relevant supervisory authority, states that high risk data breaches should be communicated to data subjects without undue delay. This can sometimes be done by the organisation’s data protection officer.
We have also provided some external resources that you may find useful:
- Being the victim of a data breach may cause you to experience feelings of stress. The NHS has provided extensive guidance on the symptoms of stress on how to get support.
- The ICO has provided this guidance on minimising the risk of data breaches occurring, aimed at small organisations.
- The National Cyber Security Centre has published their top tips for staying secure online, which you can read here.
We’d like to thank you for reading our guide on how long you have to report a data breach. You can talk to our advisory team for free advice. Our advisors can also assess your eligibility to claim for free. You can reach an advisor at any time using the contact information given above.