The Information Commissioner’s Office (ICO) launched the Ripple Effect campaign in late 2024, urging all professionals handling personal information to recognise the profound human impact of data breaches and embed empathy and cultural change at the heart of data protection practices. While progress has been made, the ICO’s 2025 update at its Data Protection Practitioner’s Conference 2025 highlights that more work is needed, especially in sectors like healthcare where the stakes are high.
The human cost of data breaches
Data breaches are often seen as technical or legal issues, but in healthcare, the consequences are deeply personal and can be life-changing. A single error might expose sensitive patient data, risking job loss, forced relocation, or the disclosure of health conditions or abuse histories. For vulnerable patients the fallout can include stigma, discrimination, and threats to safety.
Providing clear and straightforward information
ICO research shows that many affected individuals feel unheard, and support from data controllers is frequently confusing or inaccessible. It’s vital that support and information are clear, accessible, and tailored, especially for those who may experience disproportionate harm.
Responses in the risk context
The ICO urges organisations to embed empathy and compassion into their communications and support processes. It expects that responses to data breaches should never be cold or legalistic, but instead must recognise the real-life impact on patients and staff.
While empathetic, human-centred communication is essential, healthcare organisations must also manage legal risk. Explicitly referring to and apologising for “harm” rather than (for example) “inconvenience”, may inadvertently heighten an organisation’s exposure to legal risk. Such wording could be interpreted as an admission of liability, potentially strengthening the position of claimants in litigation. It is crucial to balance compassion with careful language, and to seek legal review of external communications.
Balance is key
Best practices for organisations seeking to foster a compassionate data culture while managing legal and reputational risk, include:
- Acknowledge and apologise thoughtfully: Show empathy for those affected, but use language that avoids any unintended admissions of liability, as fault may not be clear at first.
- Be accessible: Make support and guidance easy to find and understand; offer a named contact if appropriate.
- Commit to learning from errors: Treat incidents as opportunities to improve, documenting causes, lessons, and actions to prevent recurrence.
- Be sympathetic: Train staff to understand the human impact of data breaches and to respond with compassion, while also equipping them with guidance on how to communicate in a way that is both supportive and mindful of organisational risk.
- Collaborate and signpost: Work with support organisations and direct individuals to specialist help when needed, improving outcomes and managing exposure.
By integrating compassion with a clear-eyed approach to risk, organisations can build trust, support those affected, and strengthen their overall data protection culture.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.