Skip to content
×
Blog Childcare Vouchers Login
Schedule a Demo
Contact Us Schedule a Demo
Contact Us Schedule a Demo
Resources
Employee Engagement Blog | Reward Gateway UK

GDPR Personal Data Breaches and The Role of HR in Incident Response

The blog discusses the impact of GDPR personal data breaches on various UK sectors, highlights the peak times for breaches, and emphasises the integral role HR should play in incident response to protect employee wellbeing and engagement.

Chris Britton Chris Britton
minute read

Personal data breaches can be a challenging and disruptive experience for employees. At Reward Gateway | Edenred, we set out to explore the broader impact of GDPR data breaches on UK organisations in recent years, identify which sectors are most at risk, and examine how HR can play a more integral role in incident response planning. This approach aligns with our commitment to fostering comprehensive workplace wellbeing strategies. 

What is a personal data breach?

As per the Information Commissioner's Office (ICO), a personal data breach is a breach of security resulting in personal information being compromised – either through a leak, damage or forbidden access being granted.  

Examples of data breaches include: 

  • Information being accessed by an unauthorised third party. 
  • Personal information sent to the wrong person(s). 
  • Devices containing personal data being lost or stolen. 
  • Changes made to personal data without permission. 
  • Loss of availability of personal data. 

 

Our GDPR Data Breach Study: Results

According to our analysis of the latest available ICO data, from 2023 to the first quarter of 2025, there have been nearly 22,000 cases of UK businesses and public sector organisations self-reporting data breaches. Our research has revealed that the peak period for breaches tends to be the fourth quarter of the year, with the most affected sectors being health and education.  

A screenshot of a data report AI-generated content may be incorrect.

 

Sectors most impacted by data breaches

Health Sector

With 3,820 self-reported cases, the health sector has been the most impacted by personal data breaches since the start of 2023.  

Data leaks can have particularly serious consequences in the health sector, given the sensitivity of the information they hold. In March 2025, an NHS software provider was fined £3 million by the ICO, after personal information of 79,404 people was at risk due to security failings.   

 

Education and Childcare Sector

Between 2023 and Q1 2025, the education and childcare sector reported 3,246 personal data breaches, making it the second most affected sector. Any information leak in this area can raise significant concerns for organisations, parents, and students alike. Notably, analysis from the ICO revealed that 57% of insider cyberattacks in schools were caused by students. Nearly a third of these incidents stemmed from weak or poorly stored passwords, underscoring the importance of robust cybersecurity practices. 

 

Retail and Manufacturing Sector

Third on the list is the retail sector, which reported 2,385 data breaches. When the latest data from the ICO is released, it’s likely that retail will remain one of the most impacted industries. This follows a surge in cyberattacks targeting several major UK retailers between April and June 2025, impacting well-known brands like Marks & Spencer, the Co-operative, H&M, and Harrods. While it’s not clear how many of these incidents involved personal data, it was confirmed in at least one high-profile case in May 2025 that customer names and contact details were compromised in an Adidas data breach. 

 

Finance, Insurance and Credit Sector

The finance, insurance and credit sector recorded 2,175 cases of personal data breaches from 2023-2025.  

 Unfortunately, companies that handle financial information are popular targets for hackers and the penalties following a leak can be severe. In 2023, Equifax were fined £11 million for the mishandling of consumer data, which allowed hackers access to millions of UK customers’ personal information.  

 

Local Government 

Fifth on the list were local governments, who self-reported 1,956 incidents of personal data breaches between 2023-25. GDPR breaches within this sector often involve data on government officials, which way members of the public voted and names and addresses of local residents.   

 

When are you most likely to affected by a data breach?

Data from 2023 and 2024 shows that organisations were most likely to experience a personal data breach towards the end of the year, with significantly fewer incidents reported in the first quarter.  

A blue and white chart with text AI-generated content may be incorrect.

 

Notably, November accounted for 28% more reported breaches than the average month. Over the last two years, 2,071 cases were reported in November, compared to the monthly average of 1,622 cases. 

 

A screenshot of a data breach AI-generated content may be incorrect.

 

The Role of HR in Incident Response Planning

A data breach is often the concern of the C-Suite, cybersecurity professionals and regulatory and legal teams. But there is a strong argument for HR being integrated into incident response planning based on the impact breaches and penalties can have on the workforce. 

 When an organisation self-reports a breach, the ICO will review the events, what kind of personal data was involved and assess whether individuals are at risk. It will evaluate the organisation’s response and provide guidance or take enforcement action in more serious cases. 

While the focus in the aftermath of a personal data breach is on harm reduction for those directly affected, there is less attention paid to the negative impact breaches can have on employee wellbeing, morale and productivity. 

How to help employees affected by data breach incidents

A data breach can have far-reaching consequences for organisations and it is right they place emphasis on meeting legal requirements and customer needs in the aftermath. But often the impact on the workforce is overlooked which could delay and damage both short- and long-term recovery from an incident. 

The period after a data breach is discovered is an extremely stressful, disruptive and uncertain time for an organisation and its employees. Many will feel a sense of guilt over the breach, even if they followed protocols. Being under investigation by the ICO can lead to paranoia and anxiety, until the consequences are clear for the business. Access to systems may become restricted and usual ways of working disrupted until the event is resolved. This can lead to a significant impact on the mental wellbeing of the workforce and affect workplace cohesion and morale. 

Some breaches may be employee data if HR systems are involved, adding additional stress and concern. No matter the details of the incident, organisations should always act to protect employee wellbeing in its wake and take proactive measures all year round.  

Here are five effective ways in which HR teams can minimise the disruption and impact on staff within affected organisations: 

#1 Prioritise employee wellbeing and engagement  

Every employee plays a part in data protection. But research shows most data breaches are caused by human error. Burnt out, stressed and exhausted employees are more likely to accidently compromise an organisation’s cybersecurity. Businesses can build a first line of defence by prioritising employee wellbeing 365 days a year. 

#2 Encourage work-life balance 

When businesses reward employees for working excessive hours, others will feel obliged to follow suit, creating unhealthy workplace habits. A quarter of employees say work negatively impacts physical and mental health. Poor wellbeing makes employees more vulnerable to accidentally causing a cyber breach. 

Openly encouraging employees to prioritise work-life balance will create a workforce that is engaged, proactive and more focused on their day-to-day priorities when at work – including data security.”   

#3 Build employee loyalty  

Investing in your employees’ growth, tells them they matter to the business and breeds confidence to contribute and engage meaningfully in the workplace. This can include competitive pay, educational opportunities or leadership training.  

Meaningful contribution and engagement breeds loyalty and loyalty breeds care for the organisation in which people work. This is an important part of ensuring everyone works towards a common goal and protects the organisation.” 

#4 Involve HR in incidence response planning 

Organisations can easily make the mistake of labelling a data breach as an IT and compliance issue. But responding to a breach should also involve the HR department to reassure employees, keeping them informed and supported and engaged in response planning. HR departments should be available to answer questions, respond to concerns and signpost employees to available wellbeing support.” 

#5 Provide dedicated and real-time training 

As technology and criminals get smarter, cyber security threats become harder to spot. Employees are left vulnerable if they are not consistently trained and upskilled. Having the confidence to identify threats and avoid impulse clicks will give employees greater confidence, reduce anxiety and maximise productivity. 

 

Methodology 

Reward Gateway | Edenred’s researchers examined the latest available data (2023-2025) from the Information Commissioner’s Office of self-reported personal data breach cases, recording the date cases were reported and the sector of the businesses that reported. 

Source: 
https://ico.org.uk/action-weve-taken/complaints-and-concerns-data-sets/self-reported-personal-data-breach-cases/ 

 

Useful Links:  

 

  

 

Related Content