What Are Your Reporting Obligations if You Send an Email to the Wrong Recipient in England?

Summary

• Sending an email to the wrong recipient is one of the most common UK GDPR breaches identified by the ICO, and where the misdirected email contains personal data that risks the rights and freedoms of the individual (such as home addresses, health information, or settlement agreements), businesses have 72 hours to report the breach to the ICO.
• Businesses should immediately attempt to recall the email or contact the recipient to request deletion without reading, and if successful with confirmation from the recipient, the matter may be considered resolved without requiring ICO notification.
• Breach notifications to the ICO must include the identity of the affected individual, confirmation the breach was accidental, contact details of the data protection officer, likely consequences of the breach, and measures taken to minimise harm, with the ICO considering all circumstances before deciding whether to impose a fine.
• This article is a guide to email data breaches for businesses in the UK, explaining the obligations under the UK GDPR when an email is sent to the wrong recipient and the potential consequences of failing to report or remedy the breach.
• LegalVision is a commercial law firm that specialises in advising clients on data protection, privacy, and information technology law.

Tips for Businesses

Disable or limit email autofill features for external contacts and implement a double-check process before sending emails containing personal or sensitive information. Train staff to recognise when a misdirected email constitutes a reportable data breach and ensure they know to escalate immediately so the 72-hour reporting deadline can be met. Maintain a clear internal data breach response procedure so that recall attempts, recipient contact, and ICO notification (where required) can be actioned promptly and consistently.

Summarise with:

ChatGPT Gemini Perplexity Microsoft Copilot

Open now

---

On this page

• Sending Emails to the Wrong Recipient
• What if I Cannot Remedy the Breach?
• Risk to Rights and Freedoms
• What Should a Breach Notification Include?
• When Will the ICO Fine Me?
• What Steps Can Your Business Take to Prevent Misdirected Emails?
• Key Takeaways
• Frequently Asked Questions

Businesses operating in the United Kingdom are subject to strict data protection obligations when sending emails that contain personal information. The UK General Data Protection Regulation (UK GDPR), retained in domestic law following the United Kingdom’s departure from the European Union, sets out the rules governing how personal data must be handled, including when it is transmitted by email. The Information Commissioner’s Office (ICO) is the independent regulatory body responsible for enforcing these rules and has the power to issue significant financial penalties for breaches. Sending an email to the wrong recipient is one of the most common data protection mistakes the ICO identifies, and it can trigger reporting obligations and enforcement action. This article will explore the potential consequences of your business mistakenly sending an email to the wrong person so that your company can take steps to avoid the consequent fines.

Sending Emails to the Wrong Recipient

The ICO website explicitly lists sending emails to the wrong recipient as a common data protection mistake. This is a particularly easy mistake, especially if your email software uses autofill.

For example, suppose you have two contacts named Peter. Upon typing ‘Peter’ into your email software, auto-fill automatically supplies the rest of the email address for the wrong one.

While you can generally pick up on these errors by double-checking the email address, if you are particularly busy, you might accidentally send the email to the wrong person. If you send an email to the wrong recipient, you should try to recall the email. Some email software systems have a ‘recall’ option, allowing your computer to reclaim the email, so the recipient does not open it. However, message recall only works if the recipient has not opened the email yet. 

Furthermore, the ‘recall’ feature does not always work. If this is the case, you should contact the recipient (by phone or email) and ask them to delete the email without reading it. If they confirm they have, and you have no reason to suspect otherwise, you can consider the problem resolved.

What if I Cannot Remedy the Breach?

Suppose your attempts to recall the email or have the recipient confirm deletion have failed. In this case, you have a 72-hour deadline from sending the email to report the data breach to the ICO.

If the email contains personal information about another individual, sending this email to the wrong person means you have revealed their data without consent.  

Let us consider two groups of examples below to clarify what types of emails risk rights and freedoms. 

Risk to Rights and Freedoms

Examples of emails to an incorrect individual which do not risk the rights and freedoms of the intended recipient include:

• an email to an IT Manager confirming that you have actioned an order for printer toner;
• an email to a receptionist asking them to delay a meeting by 30 minutes; or
• an email containing an audio message of plans for the summer party to a secretary.

In contrast, the following emails might risk the ‘rights and freedoms of the individual if sent to the wrong recipient:

• an email intended for the HR Manager detailing an employee’s home address;
• a staff member’s occupational health report sent to a third party; or
• a signed settlement agreement for a departing employee. 

Again, if your company believes a personal data breach has occurred and the breach could risk people’s rights and freedoms, it has 72 hours to report it to the ICO.

What Should a Breach Notification Include?

Your business needs to try and summarise all concerns about the relevant breach. In particular, your company should aim to include the following information:

• the identity of the individual affected by the breach;
• confirmation that the breach was accidental and through human error rather than deliberate; 
• the contact details of your data protection officer, if your business has one;
• a prediction of the likely consequences of the breach, for example, any risk of identity theft; and
• an outline of all measures you take to minimise harm to the affected individual.  

When Will the ICO Fine Me?

If the ICO’s investigation leads them to conclude that a severe breach occurred, they will issue appropriate enforcement against your company, potentially including a fine. During their investigation, the ICO will consider the consequences of the breach and whether your organisation could have prevented it. For example, the ICO may determine that your company should have double-checked the recipient before sending the email. They will also determine whether the affected individual has suffered any actual or potential harm through the erroneous email sending.

If the ICO concludes that the mistaken email was a serious breach of the GDPR, it may issue a fine corresponding to the potential harm to the individual. This fine could be tens of thousands of pounds, so it is essential your business exercises caution when sending emails

What Steps Can Your Business Take to Prevent Misdirected Emails?

Prevention is far more effective than dealing with a breach after it occurs. The ICO expects organisations to have technical and organisational measures in place to reduce the risk of human error.

Practical steps your business can take include:

• disabling email autofill for external recipients, or configuring your email software to prompt confirmation before sending to external addresses;
• implementing a delay send feature, which gives staff a short window to cancel an email before it is delivered;
• training staff regularly on data protection obligations and the risks of misdirected emails;
• using secure file-sharing platforms rather than email attachments when sending sensitive personal data; and
• restricting access to sensitive personal data so that only staff who need it can retrieve and send it.

Under the UK GDPR, your business must implement appropriate technical and organisational measures to protect personal data. This obligation applies before a breach occurs, not just in response to one.

The ICO is more likely to take a lenient approach where a business can demonstrate it had strong preventative measures in place and the breach occurred despite those measures. Documenting your data protection practices is therefore essential.

Personal Data Breach Notification Factsheet

This factsheet outlines the steps for notifying the ICO and affected individuals about personal data breaches.

Download Now

Key Takeaways

As soon as you notice an email has gone to the wrong person, you should attempt to recall the email or have the other person delete it before reading it. If that fails, you should consider the potential harm to the would-be recipient and determine whether your company should report the breach to the ICO. You should issue this report within 72 hours of the data breach. The ICO will consider all the circumstances, including the extent of harm to the individual, before imposing a fine.

If you need help with data protection rules and good data practice, LegalVision provides ongoing legal support for all businesses through our fixed-fee legal membership. Our experienced Data, Privacy and IT lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 0808 196 8584 or visit our membership page.

Frequently Asked Questions