Reporting Obligations When Sending Emails to the Wrong Recipient in England

Your business likely sends many emails to business partners, clients, and suppliers daily. When sending emails, it is vital that you direct them to the correct person and that your business exercises good email and data protection practices to avoid financial repercussions. The General Data Protection Regulation (GDPR) covers rules regarding sending emails in England. The Information Commissioner’s Office (ICO) can fine companies that send emails in a way that breaches GDPR rules. Therefore, it is essential to ensure that emails are accurate, sent for a lawful purpose and sent to the correct recipient. This article will explore the potential consequences of your business mistakenly sending an email to the wrong person so that your company can take steps to avoid the consequent fines.

Sending Emails to the Wrong Recipient

The ICO website explicitly lists sending emails to the wrong recipient as a common data protection mistake. This is a particularly easy mistake, especially if your email software uses autofill.

For example, suppose you have two contacts named Peter. Upon typing ‘Peter’ into your email software, auto-fill automatically supplies the rest of the email address for the wrong one.

While you can generally pick up on these errors by double-checking the email address, if you are particularly busy, you might accidentally send the email to the wrong person. If you send an email to the wrong recipient, you should try to recall the email. Some email software systems have a ‘recall’ option, allowing your computer to reclaim the email, so the recipient does not open it. However, message recall only works if the recipient has not opened the email yet. 

Furthermore, the ‘recall’ feature does not always work. If this is the case, you should contact the recipient (by phone or email) and ask them to delete the email without reading it. If they confirm they have, and you have no reason to suspect otherwise, you can consider the problem resolved.

What if I Cannot Remedy the Breach?

Suppose your attempts to recall the email or have the recipient confirm deletion have failed. In this case, you have a 72-hour deadline from sending the email to report the data breach to the ICO.

If the email contains personal information about another individual, sending this email to the wrong person means you have revealed their data without consent.  

Let us consider two groups of examples below to clarify what types of emails risk rights and freedoms. 

Risk to Rights and Freedoms

Examples of emails to an incorrect individual which do not risk the rights and freedoms of the intended recipient include:

• an email to an IT Manager confirming that you have actioned an order for printer toner;
• an email to a receptionist asking them to delay a meeting by 30 minutes; or
• an email containing an audio message of plans for the summer party to a secretary.

In contrast, the following emails might risk the ‘rights and freedoms of the individual if sent to the wrong recipient:

• an email intended for the HR Manager detailing an employee’s home address;
• a staff member’s occupational health report sent to a third party; or
• a signed settlement agreement for a departing employee. 

Again, if your company believes a personal data breach has occurred and the breach could risk people’s rights and freedoms, it has 72 hours to report it to the ICO.

What Should a Breach Notification Include?

Your business needs to try and summarise all concerns about the relevant breach. In particular, your company should aim to include the following information:

• the identity of the individual affected by the breach;
• confirmation that the breach was accidental and through human error rather than deliberate; 
• the contact details of your data protection officer, if your business has one;
• a prediction of the likely consequences of the breach, for example, any risk of identity theft; and
• an outline of all measures you take to minimise harm to the affected individual.  

When Will the ICO Fine Me?

If the ICO’s investigation leads them to conclude that a severe breach occurred, they will issue appropriate enforcement against your company, potentially including a fine. During their investigation, the ICO will consider the consequences of the breach and whether your organisation could have prevented it. For example, the ICO may determine that your company should have double-checked the recipient before sending the email. They will also determine whether the affected individual has suffered any actual or potential harm through the erroneous email sending.

If the ICO concludes that the mistaken email was a serious breach of the GDPR, it may issue a fine corresponding to the potential harm to the individual. This fine could be tens of thousands of pounds, so it is essential your business exercises caution when sending emails

Key Takeaways

As soon as you notice an email has gone to the wrong person, you should attempt to recall the email or have the other person delete it before reading it. If that fails, you should consider the potential harm to the would-be recipient and determine whether your company should report the breach to the ICO. You should issue this report within 72 hours of the data breach. The ICO will consider all the circumstances, including the extent of harm to the individual, before imposing a fine.

If you need help with data protection rules and good data practice, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions