Legal Analysis

Sent an Email to the Wrong Person ?

In a world which relies so heavily on email, mistakes such as sending an email to the wrong person can and often happen.

Sending an email containing personal information to the wrong person could constitute a data breach according to GDPR. Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

GDPR applies to any organisation that operates within the UK, as well as international organisations that provide goods and services to the UK.

Misdirected Email

The Information Commissioner’s Office (ICO) have published the article Common data protection mistakes (and how to fix them) and list sending an email to the wrong person as a common mistake.

An email sent to the wrong recipient is also known as a misaddressed email or a misdirected email.

This is easy to do, especially if more than one person in your address book has the same name.

Tools like Autofill predict who you’re emailing when you start typing someone’s name in the ‘To’ field. It’s a quick way to go through your address book. But the few seconds you save by using Autofill could end up costing you a lot more if you send personal data to the wrong person by mistake.

Sending an email to the wrong person

The ICO publish, in my opinion, minimal guidance on what to do to fix this :-

Act quickly. Try to recall the email as soon as possible. If you can’t recall it, contact the person who received it and ask them to delete it. In the future, consider turning off the Autofill tool when sending work emails.

Fix It – Sending an email to the wrong person

In addition to the guidance from the ICO, you should as the sender of the email, immediately contact the Data Protection Officer (DPO) in your organisation so they can assess the data breach and report it to the ICO if necessary.

The ICO has a search page which makes it easy to find organisations and people registered with the Information Commissioner’s Office (ICO) under the Data Protection Act 2018.

Example ICO search results – East Sussex County Council

If you have received an email in error that contains personal information that you suspect may be in breach of GDPR, you may wish to contact the senders DPO as well as the ICO to report the Personal Data Breach (PDB).

What is the 72 Hour Rule ?

Part 3 of the Data Protection Act 2018 introduced a duty on all organisations to report certain types of personal data breach to the Information Commissioner. This must be done within 72 hours of becoming aware of the breach, where this is possible.

The ICO have published the article 72 hours – how to respond to a personal data breach which details the 7 steps to be taken :-

  • Step one: Don’t panic
  • Step two: Start the timer
  • Step three: Find out what’s happened
  • Step four: Try to contain the breach
  • Step five: Assess the risk
  • Step six: If necessary, act to protect those affected
  • Step seven: Submit your report (if needed)

What is a Personal Data Breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.

What is Personal Data ?

Personal data is defined within Article 4(1) GDPR 2018 as being “any information relating to an identified or identifiable natural person”.

The ICO publish the article What is personal information: a guide along with another article What is personal data? which goes into more detail.

What breaches need to be reported to the ICO?

You are legally obliged to notify the ICO of a data breach if it is likely to result in a risk to the rights and freedoms of individuals. If the data breach is left unaddressed would the data breach have a significant detrimental effect on individuals ?

For example:

  • result in discrimination;
  • damage to reputation;
  • financial loss; or
  • loss of confidentiality or any other significant economic or social disadvantage.

In more serious cases, for example those involving victims and witnesses, a personal data breach may cause more significant detrimental effects on individuals.

You have to assess this on a case by case basis and you need to be able to justify your decision to report a breach to the Information Commissioner.  

Personal data breaches – ICO

Review and Remediation

Following the incident, a thorough internal review should be conducted to identify the root cause and implement measures to prevent future occurrences. This may include training, implementing additional security measures, improving data handling protocols, or enhancing email verification systems.

Other Articles You May be Interested In

GDPR and Rights of Access (SAR), Privacy and Electronic Communications Regulations (PECR), Counter Disinformation Unit (CDU) and the highly questionable Sussex Family Justice Board.

We recommend you should always seek formal legal advice if required, from a qualified and reputable lawyer (solicitor or barrister).

We have a number of links to Free Legal Resources and Legal Organisations on our Free Legal Advice , Legal Aid and Pro Bono pages.

Read the reviews of Gavin Howe Barrister

“He is awful, underhanded and should not be practising law!”

Latest Articles

All articles can be found in our Sitemap

By Dom Watts

Dom Watts is the founder of the Ministry of Injustice. Dom works in IT and has no legal training and is not a lawyer. You can find Dom on X or Google.

In 2002 Dom Watts was an unlikely consumer champion. The dad of three from Croydon took on the power and might of Kodak – and won………

Dom on BBC Working Lunch

Dom Watts interviewed by Gerald Main BBC Radio Cambridgeshire

Dr Laurence Godfrey (Godfrey v Demon Internet Ltd [1999] EWHC QB 244) wrote: “I am very pleased to read that there appears to have been a remarkable U-turn."

Rule of Law - Open Justice - Policing By Consent

Access To Justice Is A Right Not A Privilege
Equal Justice Under Law