GDPR & Wrong Email Data Breaches: Are Accidents Accounted For?

Sending an email containing personal information, including sharing an email address itself, to the incorrect recipient is considered a data breach under GDPR, because of the potential financial and emotional harm.

Personal data is “any information relating to an identified or identifiable natural person”. It includes identifiers such as phone numbers, addresses, or online identities, as well as information unique to physical, physiological, genetic, mental, economic, cultural, or social characteristics.

How Is Confidential Info Sent to the Wrong Email Address?

When a person needs to send several emails or is too exhausted to pay attention to detail, they might end up sending emails to the incorrect address. It’s not uncommon for people to rely on the autofill function of the recipient field. If the email address isn’t double-checked, it could lead to a misdirected email. A recipient’s email address can also be mistyped.

Generally, once an email is sent, it’s impossible to redact. However, some email providers like Gmail have an option to undo an email just a few seconds (between 10 to 30 seconds) after it’s sent. Meanwhile, Outlook provides the option to recall an email. However, it doesn’t guarantee that the email hasn’t already been read and usually applies within your organization only.

Ensuring Lawful Data Processing & Sharing

There are exceptions where data processing and sharing are lawful and GDPR compliant. These include the following:

• • Consent: If you’ve already provided legitimate consent, then it doesn’t have to be asked for again.

• • Contract: If you’ve signed a contract with a body, it can contain clauses that allow the body to use your personal data in the stipulated ways.

• • Vital Interests: Your personal data can be used in cases where it concerns your or someone else’s life.

• • Legitimate Interests: Bodies can use your personal data for legitimate business interests that are considered reasonable and low risk.

• • Public Tasks: Bodies can use your personal data for processes such as calculating tax or paying state support.

• • Legal Obligation: There are certain laws that require a body (e.g. your employer) to process your personal data.

Bulleted List

If in doubt, the Information Commissioner’s Office has an assessment tool that can provide guidance on whether a breach has occurred.

If so, employees should inform their company’s data security experts. An attempt must be made to recall the email. Alternatively, the incorrect recipient must be contacted and requested to delete the email.

Conclusion

An email breach can potentially cause significant damage to your company’s reputation and the safety of the email’s owner. In addition, the penalties for breaching the GDPR are drastic. Therefore, organizations cannot afford to ignore them.