Email data protection errors that cause personal data breaches

Gmail on laptop screen

Email is an essential communication tool for organisations. Unfortunately, it is commonly the source of a number of data protection errors which can cause personal data breaches.

Common errors that create risk

Below are some examples of common email errors:

  • Sent to incorrect recipient due to human error.
  • Sent to incorrect recipient due to the message service predicting the recipients email address based on the first characters entered.
  • Attaching an incorrect document.
  • Forwarding a chain to an unintended/unauthorised recipient.
  • Sent to multiple recipients using ‘To’ or ‘Cc’ fields* instead of the ‘Bcc’ field **.

*Cc – Allows everyone who receives the email to see the addresses of all other recipients.
*Bcc – Enables you to send to multiple recipients without revealing the addresses of others contained within the recipient list.

In addition, using ‘To’ or ‘Cc’ allows the recipients to ‘Reply all’ which presents further risks to disclose additional personal information by the recipients themselves – risks they would not have been subject to if the ‘Bcc’ function was used. 

Errors are not always harmless

Often is it wrongly assumed that these errors are harmless and that nothing can or should be done about them. However, even if there is no financial loss suffered, sometimes these errors can result in people being concerned or even distressed that their personal information has been inadvertently disclosed. That’s why it’s prudent when these errors occur, to take action, as recommended below.

Recommendations that avoid risks

  1. If you need to send an email to multiple recipients, the ‘Bcc’ field should be used.
  2. Ensure the appropriate recipient has been selected before sending.
  3. Ensure the appropriate attachments etc have been selected before sending.

Actions to take

  1. You should send a follow up email to the incorrect/unauthorised recipient(s) that
    • Asks them to delete the email (and any attachment(s)); and
    • Advises them that they do not have the right to use the address(es) (or access any attachments) sent to them; and
    • Asks them to confirm to you that he/she has delete the email (and any attachment(s))
  2. You should send an email to the affected individual(s) (i.e. whose email address and any attachment(s) has been sent to an incorrect/unauthorised recipient) that:
    • Explains what has happened
    • Inform them what you have done/will do
    • Offer an apology
  3. If you think that there will be any risk – regardless of severity (e.g. low/medium/high/severe) – to someone (anyone) as the result of an email sent to an incorrect/unauthorised recipient, you must notify the ICO.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.