The finance sector is the most affected by GDPR data breaches, reporting 2,175 cases between 2023 and Q1 of 2025, according to new analysis of ICO data by Reward Gateway | Edenred.
UK GDPR legislation defines a personal data breach as a: “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”.
Examples include sending an email to the wrong recipient, a lost laptop containing personal data, a cyberattack that exposes customer records or staff sharing sensitive data inappropriately or without authorisation.
Exploring the latest data available, from 2023 to the first quarter of 2025, there have been nearly 22,000 cases of businesses and public sector organisations self-reporting data breaches to the Information Commissioner’s Office.
When analysing the ICO’s data from a sector point of view, the data highlights a clear trend – self-reported data breaches are highest among sectors that handle and store large amounts of sensitive personal data, meaning breaches are higher risk.
The finance sector has one of the highest rates of self-reporting for personal data breaches, totalling 3,820 between 2023 and 2025 (up to Q1). In close second is education and childcare (3,246), followed by retail and manufacturing (2,385) and finance, insurance and credit (2,175).
Many of these sectors are also heavily regulated and operate under close public scrutiny. Because of this, organisations often adopt a risk-averse reporting approach. Across both 2023 and 2024, Q4 saw the highest rates of data breach reports (5,726) with incidents peaking in November, totalling 2,071 cases.
Under law, organisations must report a breach to the ICO - the UK’s independent regulator for data protection and information rights - within 72 hours of becoming aware if it poses a risk to individuals’ rights and freedoms. In some cases, they must also notify the affected individuals, who can be employees, customers, members of the public and third-party suppliers or partners.
When an organisation self-reports a breach, the ICO will review the events, what kind of personal data was involved and assess whether individuals are at risk. It will evaluate the organisation’s response and provide guidance or take enforcement action in more serious cases.
While the focus in the aftermath of a personal data breach is on harm reduction for those directly affected, there is less attention paid to the negative impact breaches can have on employee wellbeing, morale and productivity within the finance sector.
Chris Britton, people experience director at Reward Gateway | Edenred, commented: “A data breach can have far-reaching consequences for finance businesses and it is right they place emphasis on meeting legal requirements and customer needs in the aftermath. But often the impact on the workforce is overlooked which could delay and damage both short- and long-term recovery from an incident.
“The period after a data breach is discovered is an extremely stressful, disruptive and uncertain time for an organisation and its employees. Many will feel a sense of guilt over the breach, even if they followed protocols.
"Being under investigation by the ICO can lead to paranoia and anxiety, until the consequences are clear for the business. Access to systems may become restricted and usual ways of working disrupted until the event is resolved. This can lead to a significant impact on the mental wellbeing of the workforce and affect workplace cohesion and morale.
“Some breaches may be employee data if HR systems are involved, adding additional stress and concern. No matter the details of the incident, organisations should always act to protect employee wellbeing in its wake and take proactive measures all year round."
