Skip to content

Reporting Obligations When Sending Emails to the Wrong Recipient in England

Table of Contents

Your business likely sends many emails to business partners, clients, and suppliers daily. When sending emails, it is vital that you direct them to the correct person and that your business exercises good email and data protection practices to avoid financial repercussions. The General Data Protection Regulation (GDPR) covers rules regarding sending emails in England. The Information Commissioner’s Office (ICO) can fine companies that send emails in a way that breaches GDPR rules. Therefore, it is essential to ensure that emails are accurate, sent for a lawful purpose and sent to the correct recipient. This article will explore the potential consequences of your business mistakenly sending an email to the wrong person so that your company can take steps to avoid the consequent fines.

Sending Emails to the Wrong Recipient

The ICO website explicitly lists sending emails to the wrong recipient as a common data protection mistake. This is a particularly easy mistake, especially if your email software uses autofill.

For example, suppose you have two contacts named Peter. Upon typing ‘Peter’ into your email software, auto-fill automatically supplies the rest of the email address for the wrong one.

While you can generally pick up on these errors by double-checking the email address, if you are particularly busy, you might accidentally send the email to the wrong person. If you send an email to the wrong recipient, you should try to recall the email. Some email software systems have a ‘recall’ option, allowing your computer to reclaim the email, so the recipient does not open it. However, message recall only works if the recipient has not opened the email yet. 

Furthermore, the ‘recall’ feature does not always work. If this is the case, you should contact the recipient (by phone or email) and ask them to delete the email without reading it. If they confirm they have, and you have no reason to suspect otherwise, you can consider the problem resolved.

What if I Cannot Remedy the Breach?

Suppose your attempts to recall the email or have the recipient confirm deletion have failed. In this case, you have a 72-hour deadline from sending the email to report the data breach to the ICO.

Your organisation will need to notify the ICO where both of the below statements apply:

  1. a ‘personal data breach has occurred; and
  2. that breach could likely result in a ‘risk to people’s rights and freedoms.

If the email contains personal information about another individual, sending this email to the wrong person means you have revealed their data without consent.  

Let us consider two groups of examples below to clarify what types of emails risk rights and freedoms. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Risk to Rights and Freedoms

Examples of emails to an incorrect individual which do not risk the rights and freedoms of the intended recipient include:

  • an email to an IT Manager confirming that you have actioned an order for printer toner;
  • an email to a receptionist asking them to delay a meeting by 30 minutes; or
  • an email containing an audio message of plans for the summer party to a secretary.

In contrast, the following emails might risk the ‘rights and freedoms of the individual if sent to the wrong recipient:

  • an email intended for the HR Manager detailing an employee’s home address;
  • a staff member’s occupational health report sent to a third party; or
  • a signed settlement agreement for a departing employee. 

Again, if your company believes a personal data breach has occurred and the breach could risk people’s rights and freedoms, it has 72 hours to report it to the ICO.

If your organisation notifies the ICO after 72 hours, it should provide clear reasons for the delay. You must have a good reason, as missing the deadline breaches the GDPR and risks an ICO fine.

What Should a Breach Notification Include?

Your business needs to try and summarise all concerns about the relevant breach. In particular, your company should aim to include the following information:

  • the identity of the individual affected by the breach;
  • confirmation that the breach was accidental and through human error rather than deliberate; 
  • the contact details of your data protection officer, if your business has one;
  • a prediction of the likely consequences of the breach, for example, any risk of identity theft; and
  • an outline of all measures you take to minimise harm to the affected individual.  

When Will the ICO Fine Me?

If the ICO’s investigation leads them to conclude that a severe breach occurred, they will issue appropriate enforcement against your company, potentially including a fine. During their investigation, the ICO will consider the consequences of the breach and whether your organisation could have prevented it. For example, the ICO may determine that your company should have double-checked the recipient before sending the email. They will also determine whether the affected individual has suffered any actual or potential harm through the erroneous email sending.

If the ICO concludes that the mistaken email was a serious breach of the GDPR, it may issue a fine corresponding to the potential harm to the individual. This fine could be tens of thousands of pounds, so it is essential your business exercises caution when sending emails

Key Takeaways

As soon as you notice an email has gone to the wrong person, you should attempt to recall the email or have the other person delete it before reading it. If that fails, you should consider the potential harm to the would-be recipient and determine whether your company should report the breach to the ICO. You should issue this report within 72 hours of the data breach. The ICO will consider all the circumstances, including the extent of harm to the individual, before imposing a fine.

If you need help with data protection rules and good data practice, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Does the ICO provide enforcement action short of financial penalties?

Sometimes, yes. If the ICO believes the email sending was accidental and the consequences were minor, they may ask your business to implement measures to avoid this repeating.

Will the ICO be lenient if the breach is accidental rather than deliberate?

To an extent, yes. However, the fact that a breach is accidental is not a complete defence. If the sender could have avoided the mistake through good practice, such as double-checking the recipient’s name before sending sensitive emails, the ICO may still penalise your company.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards