GDPR Breach Notification for Law Firms: The 72-Hour Rule Explained
The 72-hour rule for notifying the ICO of a personal data breach is one of the most misunderstood obligations in data protection law. Many firms believe they have 72 hours from the time the breach is fully investigated. They do not. The clock starts when any person in your organisation first becomes aware that a breach has occurred — even if you do not yet know the full extent of what happened. Missing the deadline risks a separate regulatory finding on top of the underlying breach. This FAQ explains what every UK law firm needs to know.
ICO enforcement data shows that failure to notify within 72 hours is itself a regulatory breach — distinct from and additional to any penalty for the underlying data loss.
What Counts as a Notifiable Breach
Not every data security incident requires ICO notification. Notification is required when the breach is likely to result in a risk to the rights and freedoms of individuals:
- Ransomware attack encrypting client data: almost certainly notifiable — client data was inaccessible and the confidentiality of encrypted data is uncertain
- Misdirected email containing client personal data: notifiable if the data is sensitive (health, legal matters, financial) or if the misdirection was to a third party with no legitimate access
- Phishing attack compromising a fee earner's email account: notifiable if client personal data was accessible in that account
- Theft of an unencrypted laptop containing client files: notifiable — lost device with unencrypted data is a clear confidentiality risk
- Accidental deletion of client data: may not be notifiable if the data can be restored from backup without confidentiality risk
- Paper files left in a public place: notifiable if the files contain sensitive personal data
When Does the 72-Hour Clock Start?
This is the question firms get wrong most often. The ICO's position is clear: the clock starts when any employee, partner, or agent of the organisation becomes aware that a breach has occurred. You do not need to know the full extent of the breach. You do not need your investigation to be complete. You do not need to know whether it is notifiable. When you know enough to say "something has gone wrong with our data", the clock has started.
Frequently Asked Questions
What if we discover a breach on a Friday afternoon?
The 72-hour clock does not pause for weekends or bank holidays. If you become aware of a breach at 4pm on a Friday, you have until 4pm on Monday to notify the ICO. This is why firms need an incident response plan that works outside business hours — including a designated individual with authority to make the notification decision and submit the report to the ICO's online portal.
Can we submit a preliminary notification and provide more information later?
Yes, and the ICO actively encourages this. If you cannot provide all required information within 72 hours, submit a preliminary notification stating that an incident has occurred and that further information will follow as your investigation progresses. This is much better than missing the deadline while waiting to have complete information.
Do we also need to notify the SRA?
Notify the SRA separately if the breach has resulted in, or risks resulting in, a breach of client confidentiality, loss of client money, or significant disruption to the firm's ability to practise. The ICO notification does not satisfy the SRA notification obligation — they are separate requirements under different regulatory frameworks.
What is the fine for missing the 72-hour deadline?
Late notification is a separate breach of UK GDPR Article 33 and can result in a separate fine or regulatory action, on top of any penalty for the underlying breach. The ICO has issued fines specifically for late notification. In the context of a serious breach investigation, failure to notify within 72 hours significantly worsens the firm's regulatory position.
Do we need to notify affected clients?
Under GDPR Article 34, you must notify affected individuals directly where a breach is likely to result in a high risk to their rights and freedoms. High risk typically means the breach involved sensitive personal data (health, legal matters, financial information) and there is a real possibility of harm to those individuals. Where individuals need to take action to protect themselves (for example, because financial credentials were exposed), notification is usually required.
Build a breach notification procedure your firm can actually execute — speak to us
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.