Categories
Legal Analysis

Sent an Email to the Wrong Person ?

email to the wrong person

In a world which relies so heavily on email, mistakes such as sending an email to the wrong person can and often happen.

Sending an email containing personal information to the wrong person could constitute a data breach according to GDPR. Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

GDPR applies to any organisation that operates within the UK, as well as international organisations that provide goods and services to the UK.

You may be interested in the article Can you Email a Judge ? and The High Court Judge that never was – His Honour Judge Melbourne Inman KC !

Misdirected Email

The Information Commissioner’s Office (ICO) have published the article Common data protection mistakes (and how to fix them) and list sending an email to the wrong person as a common mistake.

An email sent to the wrong recipient is also known as a misaddressed email or a misdirected email.

This is easy to do, especially if more than one person in your address book has the same name.

Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.

Sending an email to the wrong person

The ICO publish, in my opinion, minimal guidance on what to do to fix this :-

Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.

Fix It – Sending an email to the wrong person

In addition to the guidance from the ICO, you should as the sender of the email, immediately contact the Data Protection Officer (DPO) in your organisation so they can assess the data breach and report it to the ICO if necessary.

The ICO has a search page which makes it easy to find organisations and people registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.

Example ICO search results – East Sussex County Council

If you have received an email in error that contains personal information that you suspect may be in breach of GDPR, you may wish to contact the senders DPO as well as the ICO to report the Personal Data Breach (PDB).

What is the 72 Hour Rule ?

Part 3 of the Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioner. This must be done within 72 hours of becoming aware of the breach, where this is possible.

The ICO have published the article 72 hours – how to respond to a personal data breach which details the 7 steps to be taken :-

  • Step one: Don’t panic
  • Step two: Start the timer
  • Step three: Find out what’s happened
  • Step four: Try to contain the breach
  • Step five: Assess the risk
  • Step six: If necessary, act to protect those affected
  • Step seven: Submit your report (if needed)

What is a Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What is Personal Data ?

Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

The ICO publish the article What is personal information: a guide along with another article What is personal data? which goes into more detail.

What breaches need to be reported to the ICO?

You are legally obliged to notify the ICO of a data breach if it is likely to result in a risk to the rights and freedoms of individuals. If the data breach is left unaddressed would the data breach have a significant detrimental effect on individuals ?

For example:

  • result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.

In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.  

Personal data breaches – ICO

Review and Remediation

Following the incident, a thorough internal review should be conducted to identify the root cause and implement measures to prevent future occurrences. This may include training, implementing additional security measures, improving data handling protocols, or enhancing email verification systems.

The Ministry of Injustice is not the Ministry of Justice nor is it affiliated in any way with the justice system, legal profession, police or any other law enforcement agencies.

Latest Articles

Most Popular

You should always seek formal legal advice from a qualified and reputable lawyer (solicitor or barrister).

There are a number of links to Free and Paid For Legal Resources and Legal Organisations on the Free Legal Advice , Legal Aid and Pro Bono pages.

[post_title] was last updated on the 2nd June 2026

By Dom Watts

Dom Watts founded the Ministry of Injustice in July 2021. Dom is an IT Professional with 30+ years experience in Tier 1 Banking, Government, Defence, Healthcare and Global Blue Chips. Dom has no legal training and is not a lawyer but has previously consulted for a Magic Circle Law Firm. You can find Dom on X or Google.

Dom Watts publishes the Ministry of Injustice as a citizen journalist. The journalism exemption is detailed in the Data protection and journalism code of practice published by the ICO and Section 124 of the Data Protection Act 2018.

Section 2 of the Defamation Act 2013 sets out the defence of truth. Section 3 of the Defamation Act 2013 sets out the defence of honest opinion. Section 4 of the Defamation Act 2013 sets out the defence of public interest. Section 8 of the Defamation Act 2013 sets out the single publication rule.

Section 4a of The Limitation Act 1980 defines the time limit for actions for defamation or malicious falsehood as one year from the date on which the cause of action accrued.

Article 10 of the Human Rights Act 1998 gives the right to freedom of expression. "This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers."

"Free speech encompasses the right to offend, and indeed to abuse another." - Para 43 Scottow v CPS [2020] EWHC 3421 (Admin)

"Free speech is a fundamental common law right" - Para 21 R v Shayler [2002] UKHL 11 [2003] 1 AC 247 per Lord Bingham and Para 42 Phillips -v- Secretary of State for Foreign, Commonwealth and Development Affairs [2024] EWHC 32 (Admin)

Dom is a member of The Free Speech Union

“A key issue here is the need to distinguish between conduct which, however objectionable, does not justify invoking the criminal law and conduct which crosses the line and results in criminal liability" - Para 31 R v O’Neill [2016] EWCA Crim 92 [2016]

“Harassment is generally understood to involve improper oppressive and unreasonable conduct that is targeted at an individual and calculated to produce alarm and distress” - Para 38 R v O’Neill [2016] EWCA Crim 92 [2016]

"The behaviour said to amount to harassment must reach a level of seriousness passing beyond irritations, annoyances....The gravity of the misconduct must be of an order which would sustain criminal liability" - Paras [40-44] Hayden v Dickenson [2020] EWHC 3291 (QB)

"If you tell the truth, you don't have to remember anything"

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won...Dom on BBC Working Lunch

Rule of Law - Open Justice - Policing By Consent