2 min read
The reporting rule
Under UK GDPR, a personal data breach that is likely to result in a risk to individuals’ rights and freedoms must be reported to the ICO, generally within 72 hours of you becoming aware of it. If the risk is high, you must also notify the affected people.
What to do
Assess every breach, contain it, document what happened, and report if the risk threshold is met — under-reporting a serious breach carries penalties. Good controls and staff awareness cut both the frequency and the fallout.
What it means for you
Credicorp lends to your company, not to you personally, and takes no personal guarantee. See business loans or apply online.
Frequently asked questions
Do I have to report every data breach?
No — only breaches likely to risk individuals’ rights. But you must assess and document every breach so you can justify the decision.
What is the deadline to report to the ICO?
Usually 72 hours from becoming aware of a reportable breach. High-risk breaches also require you to notify the affected individuals.
Related reading

Does a loan application put my data at risk of a data breach?
A reputable lender encrypts your data in transit and at rest, limits who can access it, and must report…
Read →
How does Credicorp protect my data?
Credicorp handles your data under UK data-protection law, over encrypted connections, with access limited to…
Read →
Do I need cyber security in place to get a business loan?
A lender does not usually require formal cyber-security certification to lend, but poor controls that cause…
Read →
A big contract is ending and I need to replace the revenue — how do I fund the gap?
A big contract ending leaves a revenue gap you must fill; finance funds the sales and marketing push to…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.