Introduction to this document

GDPR letter notifying personal data breach

As well as notifying the Information Commissioner’s Office (ICO), certain personal data breaches must also be notified to affected data subjects. Your notification to them must, as a minimum, describe the nature of the data breach, the likely consequences of it and the measures you’ve taken or are taking to address it. It must also set out contact details if the data subject wants to obtain further information.

Notification requirements

Under the UK GDPR, you’re required to put in place appropriate technical and organisational measures to ensure a level of security of personal data which is appropriate to the risk. If, despite the security measures you’ve put in place, a personal data breach does unfortunately occur, you’ll need to properly respond to it. Certain personal data breaches must be notified to the ICO and sometimes affected data subjects need to be told too. Where the personal data breach is likely to result in a “high risk” to the rights and freedoms of individuals, you’re required to communicate the breach to the affected data subjects directly and “without undue delay”, i.e. as soon as possible. You must describe to them, in clear and plain language, the nature of the breach, e.g. how and when it occurred. In addition, you must provide them with the following information: (a) the name and contact details of your data protection officer (DPO) or other point of contact where further information can be obtained; (b) a description of the likely consequences of the breach; and (c) a description of the measures taken, or proposed to be taken, to address the breach and mitigate its possible adverse effects. You should also provide clear and practical advice on what steps the data subjects can take to protect themselves from the adverse effects of the breach, e.g. resetting their passwords.


You’re not required to notify individual data subjects if any of the following conditions apply:

  • you’ve applied appropriate technical and organisational protection measures to the affected personal data, in particular those that render the data unintelligible to unauthorised persons, e.g. encryption
  • you’ve subsequently taken measures which ensure that the high risk to the rights and freedoms of individuals is no longer likely to materialise
  • it would involve a disproportionate effort - in this case, you still need to implement some form of public communication, provided this will be equally effective in informing data subjects.

Breach notification letter

Our GDPR Letter Notifying Personal Data Breach is intended for use with employees, but you can also use it for clients, customers and any others who may be affected by a personal data breach.