John Edwards is the Information Commissioner.
Imagine a person who has recently escaped an abusive relationship, only to have their confidential address exposed due to a data breach. Or think about someone living with HIV whose medical information is accidentally disclosed. These are not rare or exaggerated scenarios - they are real, and they happen. Such breaches can lead to stigma, fear, discrimination, or even physical danger. For those in already difficult circumstances, the effects can be devastating and life-altering.
What is more troubling is that too often, the people impacted by these breaches have told us that their voices are not heard, and the harm they suffer isn’t taken seriously by the organisations responsible. Organisations need to understand that the harm doesn’t end with the breach – that is only where it begins.
Data protection has never been about computers or robots – it's about people. The information we are trusted with is not just a set of numbers or details – it reflects individual lives. Yet in figures revealed by the ICO today, we see that 55% of adults have had their data lost or stolen. That is nearly 30 million people. The personal and emotional toll of this is too often overlooked.
Alarmingly, 30% of victims report emotional distress, yet 25% receive no support from the organisations responsible. Even more troubling is that 32% of those affected find out through the media rather than from the organisation itself, deepening feelings of betrayal.
These numbers highlight a critical issue: too many organisations fail to fully appreciate the harm they cause when they mishandle personal data. When a data breach occurs, it’s not just an admin error – it is a failure to protect someone. In many cases if that someone is in a vulnerable situation, they are already facing innumerable personal challenges, or they may be at risk of harm.
Today, I want to issue a stark warning to organisations across the country: you must do better.
To many organisations, a data breach might seem like a temporary setback - something that can be patched up with technical fixes and compliance reviews. But from the perspective of individuals - especially those in vulnerable situations - a breach can have a far-reaching ripple effect that disrupts their lives in ways that some may not fully appreciate.
There are two important things I need organisations to understand: empathy and action. You have a role to stop this ripple effect in someone’s life from spreading further. It is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again.
At the ICO, we are committed to protecting individuals, especially those who are most at risk of harm from data breaches. But this cannot be done alone. We need organisations to step up, to do better, and to recognise the critical importance of data protection in safeguarding people’s lives.
In our work with vulnerable individuals, we’ve seen first-hand how deeply data breaches can impact lives. I want to take a moment to acknowledge the support we’ve received from organisations such as the National AIDS Trust, Terrence Higgins Trust, Women’s Aid, and Women’s Aid Scotland. Their insights have been invaluable in shaping our approach and ensuring peoples’ voices are heard when things go wrong.
The ICO is here to help you navigate these challenges. But make no mistake: we expect more from you. The ICO remains committed to working alongside organisations to help them improve their data protection practices, and has published new guidance to support in this endeavour.
The stakes are too high to get it wrong. At the end of the day, it’s not just about protecting data. It’s about protecting people.