GDPR Compliance

Article 33 — Breach Notification

72-Hour ICO Notification Procedure & Internal Incident Log

ICO Registered Data Controller

CourtCraft Advocate Ltd — ICO Registration No. ZB812547

Under Article 33 UK GDPR, we must notify the ICO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

1. Legal Framework

Article 33 UK GDPR requires CourtCraft Advocate Ltd, as data controller, to notify the Information Commissioner's Office (ICO) of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it.

Article 34 UK GDPR additionally requires us to communicate a breach directly to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

⚠️ Notification Threshold

Notification to the ICO is required unless the breach is unlikely to result in a risk to individuals. Where there is doubt, we notify. Notification to affected individuals is required where the breach is likely to result in a high risk — particularly relevant given we process special category data including domestic abuse disclosures.

2. 72-Hour Response Workflow

Hour
Hour 0Detection & Initial Assessment
  • 1Breach detected — by automated monitoring, user report, or third-party notification
  • 2Assign Incident Lead (DPO or senior technical officer)
  • 3Open incident log entry immediately (see log below)
  • 4Preserve evidence — do not delete logs or modify affected systems
  • 5Contain the breach — isolate affected systems if necessary
Hours
Hours 1–4Scope & Risk Assessment
  • 1Identify what data was affected (categories, volume, sensitivity)
  • 2Identify how many individuals are affected
  • 3Assess whether special category data (Article 9) is involved
  • 4Assess whether domestic abuse data or child data is involved — treat as CRITICAL
  • 5Determine likely cause: unauthorised access, accidental disclosure, system failure, third-party breach
  • 6Assess risk level: Low / Medium / High / Critical
Hours
Hours 4–24Internal Escalation & Remediation
  • 1Notify all relevant internal stakeholders
  • 2Implement technical remediation (patch, revoke access, reset credentials)
  • 3Notify affected third-party processors (Supabase, Anthropic, OpenAI, Stripe, Resend, Perplexity, Calendly) as applicable
  • 4Document all actions taken with timestamps
  • 5Prepare ICO notification draft (see Article 33(3) requirements below)
Hours
Hours 24–72ICO Notification (if required)
  • 1Submit notification via ICO breach report portal: ico.org.uk/for-organisations/report-a-breach/
  • 2Include: nature of breach, categories and approximate number of individuals affected, categories and approximate number of records affected, name and contact details of DPO, likely consequences of breach, measures taken or proposed to address the breach
  • 3If notification cannot be made within 72 hours, submit with reasons for delay
  • 4If HIGH RISK to individuals: notify affected data subjects without undue delay (Article 34)
  • 5Log ICO reference number in incident log
Post-72h
Post-72hReview & Lessons Learned
  • 1Complete full incident report within 7 days
  • 2Conduct root cause analysis
  • 3Update security controls and procedures as required
  • 4Review and update DPIA if processing activities changed
  • 5Retain incident log for minimum 3 years (ICO requirement)
  • 6Report to board/senior management

3. Article 33(3) — Required ICO Notification Content

Every ICO breach notification must include the following information under Article 33(3) UK GDPR:

Nature of breach

Categories and approximate number of data subjects concerned; categories and approximate number of personal data records concerned

DPO contact details

Name and contact details of the Data Protection Officer or other contact point

Likely consequences

Description of the likely consequences of the personal data breach

Measures taken

Description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Processor notification

If breach originated at a processor (Article 28), the processor must notify CourtCraft without undue delay after becoming aware

Phased notification

Where all information is not available at once, it may be provided in phases without undue further delay

4. Special Category Data — Elevated Response

🚨 CRITICAL: Domestic Abuse Data

Any breach involving domestic abuse disclosures, DASH risk assessments, or data that could identify a victim of domestic abuse must be treated as a CRITICAL incident. Immediate notification to the ICO is required. Affected individuals must be notified with safety guidance. Contact the National Domestic Abuse Helpline (0808 2000 247) for guidance on victim notification.

Health data

HIGH risk — notify ICO within 72h; notify individuals if high risk to their rights

Child welfare data

HIGH risk — notify ICO within 72h; consider safeguarding referral

Financial vulnerability data

MEDIUM risk — notify ICO; assess individual notification need

Legal proceedings data

HIGH risk — notify ICO; assess contempt of court implications

Internal Incident Log

Article 33(5) UK GDPR — all breaches must be documented regardless of ICO notification requirement

Incident Register

Retained for minimum 3 years (ICO requirement)

Loading incident log…

72-Hour Clock

The 72-hour notification window starts from the moment CourtCraft Advocate becomes aware of a breach — not when it is confirmed. If you discover a potential breach, log it immediately and begin the assessment process. Do not wait for full confirmation before starting the clock.

Report to ICO now →