Adrodd tor data GDPR DU (DPA 2018)
Latest updates - last updated 28 May 2025
28 May 2025 - Updated guidance to reflect more emphasis on the need for organisation's to 'report early' 'update later' and more specific content on how best to work with the ICO following a breach.
Oes angen i fi adrodd tor?
Os dydych chi ddim yn siwr os yw'ch sefydliad yn angen rhoi gwybod ynghylch tor i'r ICO, defnyddiwch ein hunan-asesiad neu darllen ein enghreifftiau.
Mae gennyn ni canllaw syml i helpu cwmniau bach a masnachwyr unigol yn y 72 awr cyntaf ar ol darganfod tor.
Mae hefyd gennyn ni canllaw manwl ynghylch sut i reoli a tor, yn cynnwys asesiadau risg a rhoi gwybod i unigolion.
Sut ydw i'n adrodd ynghylch tor?
Gallwch rhoi gwybod am dor ar-lein. Dylai'r ffurflen cymryd tua 30 munud i lenwi mewn. Gwnewch yn siwr fod gennych chi'r manylion i gyd ynghylch y tor cyn i chi dechrau - ni allwch arbed ac yna dychwelyd i'r ffurflen.
Cymraeg
Fersiwn beta o'r ffurflen we ar gyfer rhoi gwybod am dor data personol sydd ar gael ar hyn o bryd a hynny mewn Saesneg yn unig. Rydyn ni wrthi’n gweithio ar fersiwn Cymraeg fel rhan o'r gwaith datblygu. Am y tro, os hoffech gyflwyno adroddiad tor data personol yn Gymraeg, defnyddiwch y ffurflen sydd ar gael i’w lawrlwytho isod.
Fersiwn beta o'r ffurflen we ar gyfer rhoi gwybod am dor data personol sydd ar gael ar hyn o bryd a hynny mewn Saesneg yn unig. Rydyn ni wrthi’n gweithio ar fersiwn Cymraeg fel rhan o'r gwaith datblygu. Am y tro, os hoffech gyflwyno adroddiad tor data personol yn Gymraeg, defnyddiwch y ffurflen sydd ar gael i’w lawrlwytho isod.
You can also report by completing our downloadable form.
Completing a downloadable form / Llenwi ffurflen y gellir ei lawrlwytho
Os ydych chi wedi cael profiad o dor data ac mae angen rhoi gwybod ond rydych chi'n hyderus gall sortio heb cymorth yr ICO, gall rhoi gwybod ar-lein mewn lle. Efallai byddwch chi hefyd eisiau rhoi gwybod am dor ar-lein os ydych yn dal edrych mewn i fe a efallai gallwch chi darparu mwy o wybodaeth lawr y ffordd.
Gellir defnyddio'r ffurflen ar-lein hefyd i roi gwybod am doriadau y tu allan i'n horiau agor arferol.
Os ydych yn rhoi gwybod ar-lein, gwnewch yn siwr eich fod yn cynnwys y rhif ffon o rywun sy'n adnabod y tor, rhag ofn mae angen i ni dilyn lan ynghylch unrhyw o'r gwybodaeth sydd wedi'i ddarparu.
Ffurflen hysbysu toriad diogelwch data (De-gliciwch ar y ddolen a dewiswch 'Save Link As' neu 'Save Target As' i lawrlwytho’r ffurflen cyn cychwyn.)
Rydyn ni hefyd wedi creu canllaw i'ch helpu i lenwi'r ffurflen i roi gwybod am dor data personol. De-gliciwch ar y ddolen a dewiswch 'Save Link As' neu 'Save Target as' i lawrlwytho'r canllaw.
Pa gwybodaeth fe fyddwn i angen darparu
Byddwn yn gofyn cwestiynau i chi ynghylch:
- beth sydd wedi digwydd;
- pan a sut oeddech yn ffeindio allan am y tor;
- y pobl oedd yn cael eu effeithio gan y tor;
- beth chi'n gwneud fel canlyniad o'r tor; a
- pwy dylen ni cysylltu gyda os rydyn ni'n angen mwy o wybodaeth a phwy arall yr ydych chi wedi dweud i.
You should ensure the information provided is accurate and supply us with as much detail as possible. We'll send you a copy of the information you give us.
What happens when we report a breach to the ICO?
We recognise that a detailed understanding of what happened may take time, however it is important that we receive a factually accurate account as soon as possible.
We understand that it may not be possible for you to provide a full and complete picture of what has happened within the 72-hour reporting requirement, especially if the breach is complex and possibly ongoing. However, you’re legally required to meet this timeframe and you should provide whatever relevant information you have to us at this stage. You can provide any additional details to us at a later stage, as long as you do this without undue delay.
Following a breach, you should always reflect and consider any lessons learned. In particular, whether your risk assessment process is comprehensive enough, as well as how effective your mitigations and controls are.
How do we work with the ICO?
When you’ve had a personal data breach, you must assess the likely risk to people’s rights and freedoms.
If a risk is likely, you must notify us, as soon as possible, and where feasible within 72 hours. Being open and transparent with us at an early stage allows us to deal with the breach efficiently and ensures that we can help you protect personal information.
If the risk to people is high, you must also notify those people without undue delay.
Our role is to uphold information rights and help to protect people’s personal information. By working with organisations to comply with the law and providing appropriate support when breaches occur, we can help to ensure that organisations get it right in future.
Further reading
Beth sy'n nesaf?
When reporting a breach, you should give as much detail as possible and be as accurate as you can, even if information is likely to change.
We will use the information you provide to:
- decide what should happen next;
- better understand the cause of any breach;
- understand the mitigations you had in place; and
- understand the potential failure or lack of any controls or processes.
Depending on the impact of the breach, we may decide to use our investigative or enforcement powers, or both, under data protection laws. The information you provide may also help us to identify data security incident trends.
Where appropriate, we may share the information you provide with law and cybercrime agencies or other regulators, such as the Financial Conduct Authority. If an incident is relevant to another country, we may also share the information with appropriate regulatory representatives in that country. Let us know if you’d like more information about this.
You should also consider notifying other relevant parties about the breach, such as:
- your insurer;
- law enforcement agencies; and
- the National Cyber Security Centre (NCSC), if the breach was caused by a malicious actor.
Further reading
Digwyddiadau seibr
Unless you can’t access your system, you should report cyber incidents online.
If you’ve experienced a cyber incident you can report to the NCSC. The NCSC is the UK’s independent authority on cyber security, providing cyber incident response to the most critical incidents affecting the UK. To help you decide, you should read the NCSC’s guidance about its role and the type of incidents that you should consider reporting to them.
When an incident occurs that you believe may have criminal intent, you should consider reporting this to 'Action Fraud' – the UK’s national fraud and cybercrime reporting centre. If your organisation is in Scotland, then you should make a report to Heddlu Yr Alban.
Where appropriate, we may liaise with the above organisations about the incidents reported to us. However, it is your responsibility to notify all appropriate organisations.
Further reading