Skip to main content

Charitable and voluntary data breaches reported to the ICO

The charitable and voluntary sector reported 246 personal-data breaches to the UK Information Commissioner's Office in Q4 20256.7% of all reported incidents, ranking it #6 of 22 sectors by volume.

Quick answer

In Q4 2025, the charitable and voluntary sector reported 246 personal-data breaches to the UK ICO, which is 6.7% of the 3,677 breaches reported across all sectors and makes it the #6 highest-volume sector of 22.

246
Reported breaches
6.7%
Share of all incidents
#6 of 22
Rank by volume

Source: ICO (Information Commissioner's Office) — Data security incident trends (data-security-incidents-trends-q1-2019-to-q4-2025.xlsx). Contains public sector information licensed under the Open Government Licence v3.0. Figures are distinct-incident counts for Q4 2025, retrieved 2026-06-25. Presented neutrally; this is statistics, not legal advice.

FAQ

How many data breaches did the charitable and voluntary sector report to the ICO in Q4 2025?
The charitable and voluntary sector reported 246 distinct personal-data breaches to the UK ICO in Q4 2025. That is 6.7% of the 3,677 breaches reported across all sectors, ranking it #6 of 22 sectors by volume. Figures are taken directly from the ICO's published 'Data security incident trends' statistics.
Is the charitable and voluntary sector a high-breach sector?
In Q4 2025 the charitable and voluntary sector ranked #6 of 22 sectors by reported breach volume, accounting for 6.7% of all reported personal-data breaches. Volume reflects both the number of organisations in a sector and how diligently they report — a higher count is not on its own evidence of weaker controls.
What should charitable and voluntary organisations do to reduce breach risk?
Because the highest-volume incident types across all sectors are misdirected email, phishing and unauthorised access, the most effective controls are practical: delayed-send and recipient confirmation on email, mandatory bcc for bulk mail, multi-factor authentication and least-privilege access, redaction checks before disclosure, and a tested 72-hour breach-response process. A structured GDPR audit maps your data flows against these obligations.

Data retrieved 2026-06-25 · reporting period Q4 2025.

Cut your breach risk before it becomes a report to the ICO

Most breaches in this data are preventable — misdirected email, weak access controls, phishing. GeraCompliance's fixed-scope GDPR sprint maps your data flows, hardens the controls behind these incident types, and gives you a tested breach-response plan — in days, not months.