Almost 22,000 data breaches have been self-reported to the Information Commissioner’s Office (ICO) since 2023, according to new analysis that warns HR must be central to incident response if organisations are to protect staff wellbeing as well as compliance.
A study by employee engagement platform Reward Gateway | Edenred found that between January 2023 and the first quarter of 2025, 21,978 incidents were reported under UK GDPR rules.
Health accounted for the highest number of cases (3,820), followed by education and childcare (3,246), retail and manufacturing (2,385) and finance, insurance and credit (2,175).
Under the law, organisations must report a breach within 72 hours if there is a risk to individuals’ rights and freedoms. While much of the focus has been on customer and regulatory obligations, researchers said the internal impact on employees is often overlooked.
Staff wellbeing after breaches
Chris Britton, people experience director at Reward Gateway | Edenred, said organisations typically concentrated on regulatory requirements and customer protection in the aftermath of an incident, but added that “the impact on the workforce is overlooked which could delay and damage both short- and long-term recovery from an incident”.
He said employees often experienced stress, disruption and anxiety during ICO investigations, particularly where systems were restricted or HR platforms were compromised. “This can lead to a significant impact on the mental wellbeing of the workforce and affect workplace cohesion and morale,” he said.
Seasonal patterns and high-profile cases
Analysis of ICO figures also shows seasonal peaks in breaches, with the fourth quarter of 2023 and 2024 recording the highest volumes. November alone accounted for 2,071 cases.
The findings come after several high-profile UK breaches this year, including cyberattacks on the NHS, the British Library and outsourcing firm Capita, all of which exposed sensitive personal data and triggered ICO scrutiny.
In each case, questions were raised not only about data security but also about how staff were supported when systems were disrupted and workloads increased.
Experts said the sharp rise in reported incidents reflected both the volume of sensitive data handled in regulated sectors and the heightened risks from phishing, ransomware and human error. ICO data shows that many breaches result from simple mistakes, such as sending emails to the wrong recipient or failing to secure devices.
Why HR matters in breach response
Reward Gateway | Edenred said HR teams should be embedded in incident planning alongside IT and compliance functions. Their role, it argued, was to reassure employees, provide wellbeing support and maintain morale while investigations were ongoing.
Britton said staff often felt guilt even when they had followed protocol. “Being under investigation by the ICO can lead to paranoia and anxiety, until the consequences are clear for the business,” he said. He urged organisations to involve HR in incident response planning so that employees were kept informed and supported.
The report identified several measures HR teams could adopt to reduce risk and build resilience. They include:
- Prioritising employee wellbeing year-round, as stressed or burnt-out staff are more likely to make errors.
- Encouraging work-life balance to reduce exhaustion and accidental lapses in judgement.
- Strengthening loyalty through investment in employee growth and fair pay, creating a culture where staff feel motivated to protect the organisation.
- Providing continuous training so that employees can spot emerging cyber threats and avoid impulse clicks.
“Every employee plays a part in data protection,” Britton said, noting that most breaches originated from human error rather than technology.
