Categories
Legal Analysis

Sent an Email to the Wrong Person ?

In a world which relies so heavily on email, mistakes such as sending an email to the wrong person can and often happen.

Sending an email containing personal information to the wrong person could constitute a data breach according to GDPR. Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

GDPR applies to any organisation that operates within the UK, as well as international organisations that provide goods and services to the UK.

You may be interested in the article Can you Email a Judge ?

Misdirected Email

The Information Commissioner’s Office (ICO) have published the article Common data protection mistakes (and how to fix them) and list sending an email to the wrong person as a common mistake.

An email sent to the wrong recipient is also known as a misaddressed email or a misdirected email.

This is easy to do, especially if more than one person in your address book has the same name.

Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.

Sending an email to the wrong person

The ICO publish, in my opinion, minimal guidance on what to do to fix this :-

Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.

Fix It – Sending an email to the wrong person

In addition to the guidance from the ICO, you should as the sender of the email, immediately contact the Data Protection Officer (DPO) in your organisation so they can assess the data breach and report it to the ICO if necessary.

The ICO has a search page which makes it easy to find organisations and people registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.

Example ICO search results – East Sussex County Council

If you have received an email in error that contains personal information that you suspect may be in breach of GDPR, you may wish to contact the senders DPO as well as the ICO to report the Personal Data Breach (PDB).

What is the 72 Hour Rule ?

Part 3 of the Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioner. This must be done within 72 hours of becoming aware of the breach, where this is possible.

The ICO have published the article 72 hours – how to respond to a personal data breach which details the 7 steps to be taken :-

  • Step one: Don’t panic
  • Step two: Start the timer
  • Step three: Find out what’s happened
  • Step four: Try to contain the breach
  • Step five: Assess the risk
  • Step six: If necessary, act to protect those affected
  • Step seven: Submit your report (if needed)

What is a Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What is Personal Data ?

Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

The ICO publish the article What is personal information: a guide along with another article What is personal data? which goes into more detail.

What breaches need to be reported to the ICO?

You are legally obliged to notify the ICO of a data breach if it is likely to result in a risk to the rights and freedoms of individuals. If the data breach is left unaddressed would the data breach have a significant detrimental effect on individuals ?

For example:

  • result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.

In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.  

Personal data breaches – ICO

Review and Remediation

Following the incident, a thorough internal review should be conducted to identify the root cause and implement measures to prevent future occurrences. This may include training, implementing additional security measures, improving data handling protocols, or enhancing email verification systems.

The Ministry of Injustice is not the Ministry of Justice nor is it affiliated in any way with the justice system, legal profession or any law enforcement agencies.


Most Popular

What is Policing by Consent ? What is Two Tier Policing ?

Latest Articles

All Articles can be found in the Legal Blog or Sitemap.


You should always seek formal legal advice from a qualified and reputable lawyer (solicitor or barrister).

‘Justice delayed is justice denied’

 William Ewart Gladstone

There are a number of links to Free and Paid For Legal Resources and Legal Organisations on the Free Legal Advice , Legal Aid and Pro Bono pages.

Sent an Email to the Wrong Person ? was last updated on the 29th April 2025

By Dom Watts

Dom Watts founded the Ministry of Injustice in July 2021. Dom is an IT Professional with 30+ years experience in Tier 1 Banking, Government, Defence, Healthcare and Global Blue Chips. Dom has no legal training and is not a lawyer but has previously consulted for a Magic Circle Law Firm. You can find Dom on X or Google.

Dom Watts publishes the Ministry of Injustice as a citizen journalist. The journalism exemption is detailed in the Data protection and journalism code of practice published by the ICO and Section 124 of the Data Protection Act 2018.

Section 2 of the Defamation Act 2013 sets out the defence of truth. Section 3 of the Defamation Act 2013 sets out the defence of honest opinion. Section 4 of the Defamation Act 2013 sets out the defence of public interest. Section 8 of the Defamation Act 2013 sets out the single publication rule.

Section 4a of The Limitation Act 1980 defines the time limit for actions for defamation or malicious falsehood as one year from the date on which the cause of action accrued.

Article 10 of the Human Rights Act 1998 gives the right to freedom of expression.

"Free speech encompasses the right to offend, and indeed to abuse another." Para 43 Scottow v CPS [2020] EWHC 3421 (Admin)

R v O’Neill [2016] EWCA Crim 92, [2016]

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won………

Dom on BBC Working Lunch

Equal Justice Under Law
Access To Justice Is A Right Not A Privilege
Rule of Law - Open Justice - Policing By Consent

Ministry of Injustice - Server Monitor