Adrodd tor data GDPR DU (DPA 2018)

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

We're making improvements to our website and we'd love to hear your thoughts.
Please take five minutes to complete this survey to give your feedback.

Latest updates - last updated 28 May 2025

28 Mai 2025- Updated guidance to reflect more emphasis on the need for organisation's to 'report early' 'update later' and more specific content on how best to work with the ICO following a breach.

Oes angen i fi adrodd tor?

Os dydych chi ddim yn siwr os yw'ch sefydliad yn angen rhoi gwybod ynghylch tor i'r ICO, defnyddiwch ein hunan-asesiad neu darllen ein enghreifftiau.

Hunanasesiad

We have a simple guide about how to respond to a breach in the first 72 hours to help small companies and sole traders.

Mae hefyd gennyn nidetailed guide about how to manage a breach, including risk assessments and informing individuals.

Sut ydw i'n adrodd ynghylch tor?

Gallwch rhoi gwybod am dor ar-lein. Dylai'r ffurflen cymryd tua 30 munud i lenwi mewn. Gwnewch yn siwr fod gennych chi'r manylion i gyd ynghylch y tor cyn i chi dechrau - ni allwch arbed ac yna dychwelyd i'r ffurflen.

Start reporting a data breach online now

Or complete our downloadable form to report a breach.

Pa gwybodaeth fe fyddwn i angen darparu

Byddwn yn gofyn cwestiynau i chi ynghylch:

beth sydd wedi digwydd;
pan a sut oeddech yn ffeindio allan am y tor;
y pobl oedd yn cael eu effeithio gan y tor;
beth chi'n gwneud fel canlyniad o'r tor; a
pwy dylen ni cysylltu gyda os rydyn ni'n angen mwy o wybodaeth a phwy arall yr ydych chi wedi dweud i.

You should ensure the information provided is accurate and supply us with as much detail as possible. We'll send you a copy of the information you give us.

What happens when we report a breach to the ICO?

We recognise that a detailed understanding of what happened may take time, however it is important that we receive a factually accurate account as soon as possible.

We understand that it may not be possible for you to provide a full and complete picture of what has happened within the 72-hour reporting requirement, especially if the breach is complex and possibly ongoing. However, you’re legally required to meet this timeframe and you should provide whatever relevant information you have to us at this stage. You can provide any additional details to us at a later stage, as long as you do this without undue delay.

Following a breach, you should always reflect and consider any lessons learned. In particular, whether your risk assessment process is comprehensive enough, as well as how effective your mitigations and controls are.

Rhagor o ddeunydd darllen

How do we work with the ICO?

When you’ve had a personal data breach, you angenassess the likely risk to people’s rights and freedoms.

If a risk is likely, you angennotify us, as soon as possible, and where feasible within 72 hours. Being open and transparent with us at an early stage allows us to deal with the breach efficiently and ensures that we can help you protect personal information.

If the risk to people is high, you angen also notify those people without undue delay.

Our role is to uphold information rights and help to protect people’s personal information. By working with organisations to comply with the law and providing appropriate support when breaches occur, we can help to ensure that organisations get it right in future.

Rhagor o ddeunydd darllen

pA Toriadau data personol: canllaw

Beth sy'n nesaf?

When reporting a breach, you should give as much detail as possible and be as accurate as you can, even if information is likely to change.

We will use the information you provide to:

decide what should happen next;
better understand the cause of any breach;
understand the mitigations you had in place; and
understand the potential failure or lack of any controls or processes.

Depending on the impact of the breach, we may decide to use our investigative or enforcement powers, or both, under data protection laws. The information you provide may also help us to identify tueddiadau digwyddiadau diogelwch data.

Where appropriate, we may share the information you provide with law and cybercrime agencies or other regulators, such as the Financial Conduct Authority. If an incident is relevant to another country, we may also share the information with appropriate regulatory representatives in that country. Let us know if you’d like more information about this.

You should also consider notifying other relevant parties about the breach, such as:

eich yswiriwr;
law enforcement agencies; and
the National Cyber Security Centre (NCSC), if the breach was caused by a malicious actor.

Rhagor o ddeunydd darllen

How do we respond to a cyber incident?

Unless you can’t access your system, you should report cyber incidents online.

If you’ve experienced a cyber incident you can report to the NCSC. The NCSC is the UK’s independent authority on cyber security, providing cyber incident response to the most critical incidents affecting the UK. To help you decide, you should read the NCSC’s guidance about its role and the type of incidents that you should consider reporting to them.

When an incident occurs that you believe may have criminal intent, you should consider reporting this to 'Action Fraud' – the UK’s national fraud and cybercrime reporting centre. If your organisation is in Scotland, then you should make a report to Heddlu Yr Alban.

Where appropriate, we may liaise with the above organisations about the incidents reported to us. However, it is your responsibility to notify all appropriate organisations.

Rhagor o ddeunydd darllen

Ymateb i ddigwyddiad seiberdiogelwch