GDPR Compliance
Article 33 — Breach Notification
72-Hour ICO Notification Procedure & Internal Incident Log
ICO Registered Data Controller
CourtCraft Advocate Ltd — ICO Registration No. ZB812547
Under Article 33 UK GDPR, we must notify the ICO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.
1. Legal Framework
Article 33 UK GDPR requires CourtCraft Advocate Ltd, as data controller, to notify the Information Commissioner's Office (ICO) of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it.
Article 34 UK GDPR additionally requires us to communicate a breach directly to affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
⚠️ Notification Threshold
Notification to the ICO is required unless the breach is unlikely to result in a risk to individuals. Where there is doubt, we notify. Notification to affected individuals is required where the breach is likely to result in a high risk — particularly relevant given we process special category data including domestic abuse disclosures.
2. 72-Hour Response Workflow
- 1Breach detected — by automated monitoring, user report, or third-party notification
- 2Assign Incident Lead (DPO or senior technical officer)
- 3Open incident log entry immediately (see log below)
- 4Preserve evidence — do not delete logs or modify affected systems
- 5Contain the breach — isolate affected systems if necessary
- 1Identify what data was affected (categories, volume, sensitivity)
- 2Identify how many individuals are affected
- 3Assess whether special category data (Article 9) is involved
- 4Assess whether domestic abuse data or child data is involved — treat as CRITICAL
- 5Determine likely cause: unauthorised access, accidental disclosure, system failure, third-party breach
- 6Assess risk level: Low / Medium / High / Critical
- 1Notify all relevant internal stakeholders
- 2Implement technical remediation (patch, revoke access, reset credentials)
- 3Notify affected third-party processors (Supabase, Anthropic, OpenAI, Stripe, Resend, Perplexity, Calendly) as applicable
- 4Document all actions taken with timestamps
- 5Prepare ICO notification draft (see Article 33(3) requirements below)
- 1Submit notification via ICO breach report portal: ico.org.uk/for-organisations/report-a-breach/
- 2Include: nature of breach, categories and approximate number of individuals affected, categories and approximate number of records affected, name and contact details of DPO, likely consequences of breach, measures taken or proposed to address the breach
- 3If notification cannot be made within 72 hours, submit with reasons for delay
- 4If HIGH RISK to individuals: notify affected data subjects without undue delay (Article 34)
- 5Log ICO reference number in incident log
- 1Complete full incident report within 7 days
- 2Conduct root cause analysis
- 3Update security controls and procedures as required
- 4Review and update DPIA if processing activities changed
- 5Retain incident log for minimum 3 years (ICO requirement)
- 6Report to board/senior management
3. Article 33(3) — Required ICO Notification Content
Every ICO breach notification must include the following information under Article 33(3) UK GDPR:
Nature of breach
Categories and approximate number of data subjects concerned; categories and approximate number of personal data records concerned
DPO contact details
Name and contact details of the Data Protection Officer or other contact point
Likely consequences
Description of the likely consequences of the personal data breach
Measures taken
Description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects
Processor notification
If breach originated at a processor (Article 28), the processor must notify CourtCraft without undue delay after becoming aware
Phased notification
Where all information is not available at once, it may be provided in phases without undue further delay
4. Special Category Data — Elevated Response
🚨 CRITICAL: Domestic Abuse Data
Any breach involving domestic abuse disclosures, DASH risk assessments, or data that could identify a victim of domestic abuse must be treated as a CRITICAL incident. Immediate notification to the ICO is required. Affected individuals must be notified with safety guidance. Contact the National Domestic Abuse Helpline (0808 2000 247) for guidance on victim notification.
Health data
HIGH risk — notify ICO within 72h; notify individuals if high risk to their rights
Child welfare data
HIGH risk — notify ICO within 72h; consider safeguarding referral
Financial vulnerability data
MEDIUM risk — notify ICO; assess individual notification need
Legal proceedings data
HIGH risk — notify ICO; assess contempt of court implications
Internal Incident Log
Article 33(5) UK GDPR — all breaches must be documented regardless of ICO notification requirement
Incident Register
Retained for minimum 3 years (ICO requirement)
Loading incident log…
72-Hour Clock
The 72-hour notification window starts from the moment CourtCraft Advocate becomes aware of a breach — not when it is confirmed. If you discover a potential breach, log it immediately and begin the assessment process. Do not wait for full confirmation before starting the clock.
Report to ICO now →