Exploring the latest data available, from 2023 to the first quarter of 2025, there have been nearly 22,000 cases of businesses and public sector organisations self-reporting data breaches to the Information Commissioner’s Office.
UK GDPR legislation defines a personal data breach as a: “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.” Examples include sending an email to the wrong recipient, a lost laptop containing personal data, a cyberattack that exposes customer records or staff sharing sensitive data inappropriately or without authorisation.
Under law, organisations must report a breach to the ICO - the UK’s independent regulator for data protection and information rights - within 72 hours of becoming aware if it poses a risk to individuals’ rights and freedoms. In some cases, they must also notify the affected individuals, who can be employees, customers, members of the public and third-party suppliers or partners.
When analysing the ICO’s data from a sector point of view, the data highlights a clear trend – self-reported data breaches are highest among sectors that handle and store large amounts of sensitive personal data, meaning breaches are higher risk.
The health sector has the highest rates of self-reporting for personal data breaches, totalling 3,820 between 2023 and 2025 (up to Q1). In close second is education and childcare (3,246), followed by retail and manufacturing (2,385) and finance, insurance and credit (2,175).
Many of these sectors are also heavily regulated and operate under close public scrutiny. Because of this, organisations often adopt a risk-averse reporting approach.
Across both 2023 and 2024, Q4 saw the highest rates of data breach reports (5,726) with incidents peaking in November, totalling 2,071 cases.
When an organisation self-reports a breach, the ICO will review the events, what kind of personal data was involved and assess whether individuals are at risk. It will evaluate the organisation’s response and provide guidance or take enforcement action in more serious cases.
While the focus in the aftermath of a personal data breach is on harm reduction for those directly affected, there is less attention paid to the negative impact breaches can have on employee wellbeing, morale and productivity.
Chris Britton, People Experience Director at Reward Gateway | Edenred explains why this is imperative for organisations and how HR teams can minimise the disruption and impact on staff within affected organisations…
“A data breach can have far-reaching consequences for organisations and it is right they place emphasis on meeting legal requirements and customer needs in the aftermath. But often the impact on the workforce is overlooked which could delay and damage both short- and long-term recovery from an incident.
“The period after a data breach is discovered is an extremely stressful, disruptive and uncertain time for an organisation and its employees. Many will feel a sense of guilt over the breach, even if they followed protocols. Being under investigation by the ICO can lead to paranoia and anxiety, until the consequences are clear for the business. Access to systems may become restricted and usual ways of working disrupted until the event is resolved. This can lead to a significant impact on the mental wellbeing of the workforce and affect workplace cohesion and morale.
“Some breaches may be employee data if HR systems are involved, adding additional stress and concern. No matter the details of the incident, organisations should always act to protect employee wellbeing in its wake and take proactive measures all year round. Here’s how:
#1 Prioritise employee wellbeing and engagement
“Every employee plays a part in data protection. But research shows most data breaches are caused by human error. Burnt out, stressed and exhausted employees are more likely to accidently compromise an organisation’s cybersecurity. Businesses can build a first line of defence by prioritising employee wellbeing 365 days a year.”
#2 Encourage work-life balance
“When businesses reward employees for working excessive hours, others will feel obliged to follow suit, creating unhealthy workplace habits. A quarter of employees say work negatively impacts physical and mental health. Poor wellbeing makes employees more vulnerable to accidentally causing a cyber breach.
“Openly encouraging employees to prioritise work-life balance will create a workforce that is engaged, proactive and more focused on their day-to-day priorities when at work – including data security.”
#3 Build employee loyalty
“Investing in your employees’ growth, tells them they matter to the business and breeds confidence to contribute and engage meaningfully in the workplace. This can include competitive pay, educational opportunities or leadership training.
“Meaningful contribution and engagement breeds loyalty and loyalty breeds care for the organisation in which people work. This is an important part of ensuring everyone works towards a common goal and protects the organisation.”
#4 Involve HR in incidence response planning
“Organisations can easily make the mistake of labelling a data breach as an IT and compliance issue. But responding to a breach should also involve the HR department to reassure employees, keeping them informed and supported and engaged in response planning. HR departments should be available to answer questions, respond to concerns and signpost employees to available wellbeing support.”
#5 Provide dedicated and real-time training
“As technology and criminals get smarter, cyber security threats become harder to spot. Employees are left vulnerable if they are not consistently trained and upskilled. Having the confidence to identify threats and avoid impulse clicks will give employees greater confidence, reduce anxiety and maximise productivity.”
