Awdurdod annibynnol y Deyrnas Unedig a sefydlwyd i gynnal hawliau gwybodaeth er budd y cyhoedd, annog cyrff cyhoeddus i fod yn agored a hybu preifatrwydd data i unigolion.

There are certain incidents that organisations need to tell us about. Use this page if you are an organisation that has experienced one of the following types of incident and need to report it to the ICO:

GDPR or DPA 2018 personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO.

To help you assess the severity of a breach we have selected examples taken from various breaches reported to the ICO. These also include helpful advice about next steps to take or things to think about.


Take our self-assessment to help determine whether your organisation needs to report to the ICO.


For more information about what a personal data breach is and when you need to report it to us, please see the personal data breach pages of our Guide to the GDPR or if you are processing personal data for law enforcement purposes please see our Guide to Law Enforcement Processing.

If your organisation has already made its own assessment and decided the personal data breach experienced needs to be reported, you can find details about how to report at the link below.

Report a data security breach

PECR security breach (for telecoms and internet service providers)

Under the Privacy and Electronic Communications Regulations (PECR), organisations who provide a service allowing members of the public to send electronic messages (eg telecoms providers or internet service providers) are required to notify us if a personal data breach occurs. If you are subject to PECR and you experience a personal data breach, you should continue to report under PECR. There is no need to report under the DPA 2018, too.

 Report a data security breach (PECR)

Notifiable incident under the NIS Regulations

This form is for Relevant Digital Service Providers to notify the ICO of an incident under the NIS Regulations.

Report a NIS incident

Notifiable breaches of the eIDAS Regulation

This form is for Trust Service Providers and Qualified Trust Service providers to report notifiable breaches of the eIDAS regulation, pursuant to Article 19 (2) of the Regulation.

Report an eIDAS breach 


For information about what we do with personal data see our privacy notice.