if there is a high risk – in addition to notifying the ICO, you must inform the individuals concerned directly without undue delay
ICO guidance defines a high risk in terms of the severity of the potential or actual impact on individuals: “If the impact of the breach is more severe, the risk is higher; if the likelihood of the consequences is greater, then again the risk is higher. In such cases, you will need to promptly inform those affected, particularly if there is a need to mitigate an immediate risk of damage to them. One of the main reasons for informing individuals is to help them take steps to protect themselves from the effects of a breach.”
Where the risk is unlikely to impact on people’s rights and freedoms, you don’t have to report it to the ICO. If the risk is not high, you do not have to notify the individuals concerned. In both cases, you need to be able to justify your decision, so you should document your reasoning in line with the accountability principle.
The ICO also has the power to compel you to inform affected individuals if they consider that there is a high risk.