In a world which relies so heavily on email, mistakes such as sending an email to the wrong person can and often happen.
Sending an email containing personal information to the wrong person could constitute a data breach according to GDPR. Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.
GDPR applies to any organisation that operates within the UK, as well as international organisations that provide goods and services to the UK.
You may be interested in the article Can you Email a Judge ?
Misdirected Email
The Information Commissioner’s Office (ICO) have published the article Common data protection mistakes (and how to fix them) and list sending an email to the wrong person as a common mistake.
An email sent to the wrong recipient is also known as a misaddressed email or a misdirected email.
This is easy to do, especially if more than one person in your address book has the same name.
Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.
Sending an email to the wrong person
The ICO publish, in my opinion, minimal guidance on what to do to fix this :-
Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.
Fix It – Sending an email to the wrong person
In addition to the guidance from the ICO, you should as the sender of the email, immediately contact the Data Protection Officer (DPO) in your organisation so they can assess the data breach and report it to the ICO if necessary.
The ICO has a search page which makes it easy to find organisations and people registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.

If you have received an email in error that contains personal information that you suspect may be in breach of GDPR, you may wish to contact the senders DPO as well as the ICO to report the Personal Data Breach (PDB).
What is the 72 Hour Rule ?
Part 3 of the Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioner. This must be done within 72 hours of becoming aware of the breach, where this is possible.
The ICO have published the article 72 hours – how to respond to a personal data breach which details the 7 steps to be taken :-
- Step one: Don’t panic
- Step two: Start the timer
- Step three: Find out what’s happened
- Step four: Try to contain the breach
- Step five: Assess the risk
- Step six: If necessary, act to protect those affected
- Step seven: Submit your report (if needed)
What is a Personal Data Breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
What is Personal Data ?
Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.
The ICO publish the article What is personal information: a guide along with another article What is personal data? which goes into more detail.
What breaches need to be reported to the ICO?
You are legally obliged to notify the ICO of a data breach if it is likely to result in a risk to the rights and freedoms of individuals. If the data breach is left unaddressed would the data breach have a significant detrimental effect on individuals ?
For example:
- result in discrimination;
- damage to reputation;
- financial loss; or
- loss of confidentiality or any other significant economic or social disadvantage.
In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.
You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.
Personal data breaches – ICO
Review and Remediation
Following the incident, a thorough internal review should be conducted to identify the root cause and implement measures to prevent future occurrences. This may include training, implementing additional security measures, improving data handling protocols, or enhancing email verification systems.






The Ministry of Injustice is not the Ministry of Justice nor is it affiliated in any way with the justice system, legal profession or any law enforcement agencies.
Most Popular ↓




What is Policing by Consent ? What is Two Tier Policing ?
Latest Articles ↓
- National Stalking Awareness Week – Sussex PoliceThis week (April 25-29) is National Stalking Awareness Week – an annual campaign developed by the Suzy Lamplugh Trust to raise awareness about the severity of stalking… Read more: National Stalking Awareness Week – Sussex Police
- New Crime Recording Rules for UK Frontline Police Officers and StaffThe UK Home Office has released an updated version of the Crime Recording Rules for Frontline Officers and Staff, effective April 26th 2025. This 47-page… Read more: New Crime Recording Rules for UK Frontline Police Officers and Staff
- Upper Tribunal Judge Sarah PinderImmigration and Asylum Judge Sarah Pinder has come under scrutiny for her contributions to Free Movement, a website widely regarded as advocating for open borders,… Read more: Upper Tribunal Judge Sarah Pinder
- Counter Disinformation Data Platform (CDDP)In a move that has sparked alarm among civil liberties advocates, the Labour government in the United Kingdom is reportedly advancing plans to deploy artificial… Read more: Counter Disinformation Data Platform (CDDP)
All Articles can be found in the Legal Blog or Sitemap.
You should always seek formal legal advice from a qualified and reputable lawyer (solicitor or barrister).
‘Justice delayed is justice denied’
William Ewart Gladstone
There are a number of links to Free and Paid For Legal Resources and Legal Organisations on the Free Legal Advice , Legal Aid and Pro Bono pages.
Sent an Email to the Wrong Person ? was last updated on the 29th April 2025