*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Email data protection errors that cause personal data breaches


Email is an essential communication tool for organisations. Unfortunately, it is commonly the source of a number of data protection errors which can cause personal data breaches.

Common errors that create risk

Below are some examples of common email errors:

  • Sent to incorrect recipient due to human error.
  • Sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.
  • Attaching an incorrect document.
  • Forwarding a chain to an unintended/unauthorised recipient.
  • Sent to multiple recipients using ‘To’ or ‘Cc’ fields* instead of the ‘Bcc’ field **.

*Cc – Allows everyone who receives the email to see the addresses of all other recipients.
*Bcc – Enables you to send to multiple recipients without revealing the addresses of others contained within the recipient list.

In addition, using ‘To’ or ‘Cc’ allows the recipients to ‘Reply all’ which presents further risks to disclose additional personal information by the recipients themselves – risks they would not have been subject to if the ‘Bcc’ function was used. 

Errors are not always harmless

Often is it wrongly assumed that these errors are harmless and that nothing can or should be done about them. However, even if there is no financial loss suffered, sometimes these errors can result in people being concerned or even distressed that their personal information has been inadvertently disclosed. That’s why it’s prudent when these errors occur, to take action, as recommended below.

Recommendations that avoid risks

  1. If you need to send an email to multiple recipients, the ‘Bcc’ field should be used.
  2. Ensure the appropriate recipient has been selected before sending.
  3. Ensure the appropriate attachments etc have been selected before sending.

Actions to take

  1. You should send a follow up email to the incorrect/unauthorised recipient(s) that
    • Asks them to delete the email (and any attachment(s)); and
    • Advises them that they do not have the right to use the address(es) (or access any attachments) sent to them; and
    • Asks them to confirm to you that he/she has delete the email (and any attachment(s))
  2. You should send an email to the affected individual(s) (i.e. whose email address and any attachment(s) has been sent to an incorrect/unauthorised recipient) that:
    • Explains what has happened
    • Inform them what you have done/will do
    • Offer an apology
  3. If you think that there will be any risk – regardless of severity (e.g. low/medium/high/severe) – to someone (anyone) as the result of an email sent to an incorrect/unauthorised recipient, you must notify the ICO.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group