An Organisation’s Responsibility Following A Data Leak

Uploaded on 2025-07-07 in FREE TO VIEW, BUSINESS-Services-Law, BUSINESS-Services-IT & Telecoms

When a data breach takes place, public attention often turns to financial penalties, reputational damage and regulatory consequences. However, behind every compromised record is a person whose life may be disrupted, whose trust has been broken and who may find themselves vulnerable in ways that are not always immediately visible.

This was illustrated in April 2024 when the ICO highlighted repeated breaches involving the disclosure of HIV status through improper use of email. In one case, a UK health provider copied hundreds of patients into a group email, making their addresses visible and exposing sensitive health information without consent. The ICO said this denied individuals their “basic dignity and privacy.” For many, it caused anxiety, shame and a deep loss of trust. What seemed like a minor error had serious, lasting consequences.

In response to incidents like these, the Information Commissioner’s Office (ICO) has urged organisations across the UK to place greater emphasis on empathy and meaningful follow-up in the aftermath of a data breach. Information Commissioner John Edwards made the case clearly in a recent statement. He explained that organisations have a role to play in stopping the ripple effect from spreading further. 

“There are two important things I need organisations to understand: empathy and action. You have a role to stop the negative ripple effect in someone’s life from spreading further. It is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again.”

“We trust organisations with some of the most sensitive personal information imaginable, yet these data breaches continue to happen. This is not just an administrative mistake. It affects real people. When data is mishandled, the consequences can be serious and long-lasting, especially for those in vulnerable situations. Organisations need to do better.”

Understanding The Full Cost Of A Data Breach

The financial implications of a breach are well known. In 2024, the average cost of a data incident rose to 4.88 million US dollars. However, what is less frequently discussed is the toll on those directly impacted. Again, according to the ICO, around 30 million people in the UK have experienced a data breach. Over half of UK adults have had their data lost or stolen, and nearly a third reported emotional distress as a result. 

These numbers highlight how much more needs to be done. When a breach happens, organisations must go beyond fulfilling basic obligations. Clear communication, transparency and real support must become standard. This includes providing immediate guidance on what steps individuals should take, whether that involves monitoring personal accounts or seeking emotional reassurance. Responding quickly and with empathy can help rebuild trust and reduce the longer-term damage.

Prevention Must Come First

Support after a breach is important. However, it cannot replace the need for strong preventative measures. Both morally and legally, organisations are expected to take reasonable steps to secure the data in their care.

New and updated regulatory frameworks such as HIPAA, DORA and NIS2 are setting higher standards across industries. These include specific expectations for securing data within email systems, which continue to be a common source of data loss. In response, organisations are being encouraged to implement more robust protections, such as end-to-end encryption, multi-factor authentication, data loss prevention tools and proof of delivery capabilities.

Meeting these requirements is not only about compliance. It is about recognising the duty of care that organisations owe to the people who entrust them with sensitive information.

Most Breaches Still Come Down to Human Error

While cyberattacks and malware often dominate headlines, the ICO has consistently reported that the leading cause of breaches is human error. These are everyday mistakes, such as sending an email to the wrong person, failing to remove sensitive information or misusing copy and blind copy fields.

This remains a major challenge for IT and security leaders. Yet more and more organisations are starting to recognise that the problem lies in the tools, not the people. Standard email platforms were not built with modern security in mind and often lack the features needed to prevent common errors.

The answer lies in improving the systems employees rely on. By strengthening the technology and incorporating safeguards that protect data before, during and after sending, we can reduce the risk of human error and support people in making better choices.

A Broader Responsibility

Ultimately, data protection is not just a technical requirement or a tick-box exercise for regulatory purposes. It is a fundamental responsibility. Every organisation that handles personal data is being trusted to protect it. That trust should be treated with care and respect.

The message from the ICO is clear. Organisations need to do more, both in preventing breaches and in how they respond when incidents occur. That means treating data protection as a continuous responsibility, and data breaches as serious events that affect individuals, not just abstract statistics.

By committing to empathy, transparency and continuous improvement, organisations can protect not just information but also the people behind it.

Wouter Klinkhamer is CEO & Co-founder at Zivver

Image: fauxels

You Might Also Read: 

Police Error Exposes Personal Data Of Crime Victims:

If you like this website and use the comprehensive *,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Fraudsters Leverage Bots To Exploit Digital Marketing Campaigns

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Titania

Titania

Titania provide network security and compliance software. Find your Network Security gaps before hackers do with our security & compliance tools.

Authenware

Authenware

AuthenWare delivers the highest level of identity security based on behavioral biometrics.

Happiest Minds Technologies

Happiest Minds Technologies

Happiest Minds offers domain centric solutions in IT Services, Product Engineering, Infrastructure Management and Security.

TruSTAR Technology

TruSTAR Technology

TruSTAR is a threat intelligence exchange platform built to protect and incentivize information sharing.

Cyacomb

Cyacomb

Cyacomb (formerly Cyan Forensics) provides digital forensics software to help police forces find evidence on computers many times faster than before.

LSEC

LSEC

LSEC is a global innovator and facilitator for the Cybersecurity industry. It is a non-profit membership organisation supporting further maturing the industry through its end users.

Avira

Avira

Avira provide a portfolio of antivirus, security and performance applications for Windows, Android, Mac, and iOS.

Acuant

Acuant

Acuant is a leading global provider of identity verification, regulatory compliance (AML/KYC) and digital identity solutions.

CybExer Technologies

CybExer Technologies

CybExer provide an on-premise, easily deployable solution for complex technical cyber security exercises based on experience in military grade ranges.

Titans24

Titans24

Titans24 is a Software-as-a-Service security platform for web applications. It prevents attacks on business websites that are protected under 11 cyber-security layers.

NuCrypt

NuCrypt

NuCrypt is developing technology that is applicable to ultrahigh security data encryption as well as key distribution.

InfoExpress

InfoExpress

InfoExpress provides network security solutions that enhance productivity and security through better visibility, improved security, and automating device and mobile access to the network.

Littlefish

Littlefish

Littlefish provide world-class, award-winning Managed IT and Cyber Security Services, delivered from our 24/7 UK service centres.

AdEPT Technology Group

AdEPT Technology Group

AdEPT are a managed services and telecommunications provider offering award-winning, proven and uncomplicated technical solutions for over 12,000 organisations across the UK.

Tromzo

Tromzo

Tromzo's mission is to eliminate the friction between developers and security so you can scale your application security program.

DNS Research Federation (DNSRF)

DNS Research Federation (DNSRF)

DNSRF's mission is to advance the understanding of the Domain Name System's impact on cybersecurity, policy and technical standards.