The UK Information Commissioner’s Office (ICO) is calling on organizations to do more to support victims after a data breach.
According to ICO figures, nearly 30 million people in the UK have experienced a data breach. In total, 55% of UK adults reported having had their data lost or stolen, with 30% of them experiencing emotional distress as a result.
However, a quarter said they received no support from the organizations responsible and 32% found out about the breach via the media, rather than from the organization itself.
Information Commissioner John Edwards said the figures highlight that many organizations “fail to fully appreciate the harm they cause then they mishandle personal data”.
Edwards urged enterprises to act with “empathy and action” when dealing with data breach victims.
"Today, I want to issue a stark warning to organizations across the country: you must do better," he said.
"When a data breach occurs, it’s not just an admin error – it is a failure to protect someone. In many cases if that someone is in a vulnerable situation, they are already facing innumerable personal challenges, or they may be at risk of harm."
Qualitative research conducted by the ICO, meanwhile, found people have had to move homes, felt forced out of their jobs, and faced discrimination as a result of data breaches. Analysis from the data protection watchdog found the real impact on their life was insufficiently recognized by the organization responsible.
ICO issues updated guidance for organizations
New guidance issued by the ICO calls on organizations to assess the risks to the individuals involved, and carry out its reporting and notification duties promptly.
They should acknowledge what has happened to people affected by a breach, be human and accessible in their response, and commit to making sure it doesn’t happen again.
Similarly, organizations should share ICO guidance with people affected by a breach, and make sure that staff have access to the ICO toolkit of resources.
RELATED WHITEPAPER
Another key focus should be implementing changes to corporate culture and ensuring that empathy is at the heart of their response, the ICO said.
"To many organizations, a data breach might seem like a temporary setback - something that can be patched up with technical fixes and compliance reviews," said Edwards.
"But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate."
-
AI recruitment tools are still a privacy nightmare – here's how the ICO plans to crack down on misuseNews The ICO has issued guidance for recruiters and AI developers after finding that many are mishandling data
-
LinkedIn backtracks on AI training rules after user backlashNews UK-based LinkedIn users will now get the same protections as those elsewhere in Europe
-
UK's data protection watchdog deepens cooperation with National Crime AgencyNews The two bodies want to improve the support given to organizations experiencing cyber attacks and ransomware recovery
-
ICO slams Electoral Commission over security failuresNews The Electoral Commission has been reprimanded for poor security practices, including a failure to install security updates and weak password policies
-
Disgruntled ex-employees are using ‘weaponized’ data subject access requests to pester firmsNews Some disgruntled staff are using DSARs as a means to pressure former employers into a financial settlement
-
ICO reprimands Coventry school over repeated data protection failuresNews The ICO said the academy trust failed to follow previous guidance, which caused a serious data breach
-
ICO dishes out fine to HelloFresh for marketing spam campaignNews HelloFresh failed to offer proper opt-outs, the ICO said, and customers weren’t warned their data would be used for months after they cancelled
-
ICO fines topped $14 million in 2023 amid crackdown by regulator on data protection standardsNews ICO fines across 2023 exceeded £14 million, with TikTok among the worst-hit for data protection violations
