What happens if my startup has a data breach?
By SuLe · Updated 10 June 2026
If your startup suffers a notifiable personal-data breach, you must report it to the ICO within 72 hours of becoming aware, tell affected individuals without undue delay where the risk to them is high, and document the incident either way. The 72-hour clock starts at awareness, not at resolution — so the first hours are about assessing and containing, fast.
Key facts
- Notifiable personal-data breaches must be reported to the ICO within 72 hours of awareness.
- Affected individuals must be told without undue delay where the breach is likely to be high risk to them.
- A breach unlikely to risk individuals need not be reported — but must still be assessed and documented.
- All breaches must be recorded internally, whether or not you notify.
- UK GDPR fines reach up to £17.5 million or 4% of worldwide turnover for the most serious cases.
What actually counts as a data breach?
More than a hack. A personal-data breach is any security failure leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
So it includes a database compromised by an attacker, but equally a laptop left on a train, a spreadsheet emailed to the wrong client, or ransomware that locks up your systems. Loss of availability counts, not just theft.
Recognising the incident as a breach is the first hurdle, because the deadline runs from when you become aware. Founders who file a misdirected email under "oops" rather than "breach" can burn the clock without realising it.
What do I have to do, and how fast?
Contain first, then assess against the 72-hour clock. From the moment you are aware, you have 72 hours to report a notifiable breach to the ICO — a notifiable breach being one likely to result in a risk to individuals.
If the breach is likely to be high risk to the people affected — exposed passwords, financial data, sensitive categories — you must also tell those individuals without undue delay, so they can protect themselves.
If a breach is genuinely unlikely to risk anyone, it may not be notifiable to the ICO. But you must still assess it and record it internally; the documentation duty applies to every breach, notifiable or not.
| Scenario | Report to ICO? | Tell individuals? | Document? |
|---|---|---|---|
| Unlikely to risk individuals | No | No | Yes |
| Likely to risk individuals | Yes, within 72 hours | Not necessarily | Yes |
| High risk to individuals | Yes, within 72 hours | Yes, without undue delay | Yes |
What are the consequences and penalties?
The headline is the fine ceiling: UK GDPR breaches can attract up to £17.5 million or 4% of worldwide annual turnover, whichever is higher. That is reserved for the most serious failures, not a typical startup slip.
In reality, most startup incidents draw no fine at all where the breach is handled well. The ICO weighs the nature of the breach, the harm, and crucially how you responded — prompt notification and cooperation count in your favour.
The larger practical costs are often reputational and commercial: lost customers, a stalled enterprise deal, and the engineering time to remediate. A calm, documented response limits all three.
How do I prepare before it happens?
Have a breach playbook ready, because you cannot design a response inside a 72-hour window under pressure. The core of it is simple and worth writing down now.
Contain and assess in the first hours; start the 72-hour analysis immediately so you know whether it is notifiable; document everything even if you ultimately decide not to notify. Then check your cyber insurance and your processor contracts, which often impose their own notification duties on you or on your suppliers.
Assign who does what in advance — who assesses, who contacts the ICO, who talks to customers. A named owner beats a panicked group chat every time.
Worked example
Devang runs Ledgerly, a fintech-adjacent SaaS. On a Tuesday, an engineer reports that a misconfigured storage bucket exposed a file of customer names and email addresses, possibly accessed externally.
Ledgerly is now "aware", so the 72-hour clock starts. Devang's team contains the exposure within the hour, then assesses risk. Because passwords and financial data were not exposed, they judge it a real but not high-risk breach — reportable to the ICO, but not requiring individual notification.
They file with the ICO inside 72 hours, document the timeline, containment and reasoning, and check their cyber insurance and host contract for further duties. The whole response runs off a playbook Devang wrote months earlier — which is why it stayed calm.
Where founders go wrong
Not recognising the breach.
A misdirected email or lost laptop is a breach; filing it as a mistake wastes the 72-hour window.Starting the clock at fix, not awareness.
The deadline runs from when you knew, not when you resolved it.Failing to document a "no-notify" decision.
Every breach must be recorded internally, even the ones you correctly decide not to report.Improvising the response.
Without a playbook and a named owner, a manageable incident becomes a chaotic one.
Related questions
Do I have to report every data breach to the ICO?
No. You must report a personal-data breach to the ICO within 72 hours of becoming aware, unless it is unlikely to result in a risk to individuals. So a genuinely trivial, low-risk incident may not be notifiable — but you must still assess and document it, and the safe default when unsure is to treat the clock as running.
When do I have to tell the people affected?
You must tell affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms — for example exposed passwords, financial details or sensitive data. Lower-risk breaches may be reportable to the ICO without needing to notify individuals, but high-risk ones require both.
What counts as a data breach?
A personal-data breach is any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. That includes hacks, but also a lost laptop, an email sent to the wrong recipient, or ransomware — it is not limited to malicious external attacks.
How big can data protection fines be?
UK GDPR fines reach up to £17.5 million or 4% of worldwide annual turnover, whichever is higher, for the most serious breaches. Most startup incidents attract nothing like that, and cooperation and good breach handling matter — but the ceiling is why documented procedures and prompt notification are worth having in place.
A data breach is judged as much on your response as on the incident itself — a documented, prompt, well-owned reaction is often the difference between a footnote and a fine. A SuLe solicitor can help you build a breach playbook now, and stand beside you if the worst happens. Book a free compliance check call and be ready before the 72-hour clock ever starts.
Keep reading: What does UK GDPR require from an early-stage startup? · Does my startup need to register with the ICO? · What is a data processing agreement (DPA) and when do I need one? · Do I need a data protection officer (DPO)? · Can I transfer user data outside the UK? · How should I handle a legal letter or threat against my startup?
Primary sources: ICO — For organisations · GOV.UK — Data protection


