‘In the UK there is currently no legal obligation under the Data Protection Act 1998 (DPA) to report personal data breaches to anyone. However, the Information Commissioner’s Office (ICO) guidance recommends that serious breaches should be brought to its attention.’
Law Society’s Gazette, 4th April 2016
Source: www.lawgazette.co.uk