In a world which relies so heavily on email, mistakes such as sending an email to the wrong person can and often happen.
Sending an email containing personal information to the wrong person could constitute a data breach according to GDPR. Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.
GDPR applies to any organisation that operates within the UK, as well as international organisations that provide goods and services to the UK.
Misdirected Email
The Information Commissioner’s Office (ICO) have published the article Common data protection mistakes (and how to fix them) and list sending an email to the wrong person as a common mistake.
An email sent to the wrong recipient is also known as a misaddressed email or a misdirected email.
This is easy to do, especially if more than one person in your address book has the same name.
Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.
Sending an email to the wrong person
The ICO publish, in my opinion, minimal guidance on what to do to fix this :-
Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.
Fix It – Sending an email to the wrong person
In addition to the guidance from the ICO, you should as the sender of the email, immediately contact the Data Protection Officer (DPO) in your organisation so they can assess the data breach and report it to the ICO if necessary.
The ICO has a search page which makes it easy to find organisations and people registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.
If you have received an email in error that contains personal information that you suspect may be in breach of GDPR, you may wish to contact the senders DPO as well as the ICO to report the Personal Data Breach (PDB).
What is the 72 Hour Rule ?
Part 3 of the Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioner. This must be done within 72 hours of becoming aware of the breach, where this is possible.
The ICO have published the article 72 hours – how to respond to a personal data breach which details the 7 steps to be taken :-
- Step one: Don’t panic
- Step two: Start the timer
- Step three: Find out what’s happened
- Step four: Try to contain the breach
- Step five: Assess the risk
- Step six: If necessary, act to protect those affected
- Step seven: Submit your report (if needed)
What is a Personal Data Breach
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
What is Personal Data ?
Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.
The ICO publish the article What is personal information: a guide along with another article What is personal data? which goes into more detail.
What breaches need to be reported to the ICO?
You are legally obliged to notify the ICO of a data breach if it is likely to result in a risk to the rights and freedoms of individuals. If the data breach is left unaddressed would the data breach have a significant detrimental effect on individuals ?
For example:
- result in discrimination;
- damage to reputation;
- financial loss; or
- loss of confidentiality or any other significant economic or social disadvantage.
In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.
You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.
Personal data breaches – ICO
Review and Remediation
Following the incident, a thorough internal review should be conducted to identify the root cause and implement measures to prevent future occurrences. This may include training, implementing additional security measures, improving data handling protocols, or enhancing email verification systems.
Other Articles You May be Interested In
GDPR and Rights of Access (SAR), Privacy and Electronic Communications Regulations (PECR), Counter Disinformation Unit (CDU) and the highly questionable Sussex Family Justice Board.
We recommend you should always seek formal legal advice if required, from a qualified and reputable lawyer (solicitor or barrister).
We have a number of links to Free Legal Resources and Legal Organisations on our Free Legal Advice , Legal Aid and Pro Bono pages.
Read our review of Gavin Howe Barrister
Latest Articles
- Senior President of Tribunals
The Senior President of Tribunals is the independent and statutory leader of the tribunal judiciary. The office of the Senior… Read more: Senior President of Tribunals - Solicitor General
The Solicitor General is the second law officer of the Crown in the United Kingdom, after the Attorney General. The… Read more: Solicitor General - R v Sussex Justices
“It is not merely of some importance but is of fundamental importance that justice should not only be done, but… Read more: R v Sussex Justices - What is Section 35 ABCP Act 2014 ?
Section 35 of the Anti-Social Behaviour, Crime and Policing Act 2014 grants police officers the power to direct a person… Read more: What is Section 35 ABCP Act 2014 ?
