Sending an email containing personal information, including sharing an email address itself, to the incorrect recipient is considered a data breach under GDPR, because of the potential financial and emotional harm.

Personal data is “any information relating to an identified or identifiable natural person”. It includes identifiers such as phone numbers, addresses, or online identities, as well as information unique to physical, physiological, genetic, mental, economic, cultural, or social characteristics.

How Is Confidential Info Sent to the Wrong Email Address?

When a person needs to send several emails or is too exhausted to pay attention to detail, they might end up sending emails to the incorrect address. It’s not uncommon for people to rely on the autofill function of the recipient field. If the email address isn’t double-checked, it could lead to a misdirected email. A recipient’s email address can also be mistyped.

Generally, once an email is sent, it’s impossible to redact. However, some email providers like Gmail have an option to undo an email just a few seconds (between 10 to 30 seconds) after it’s sent. Meanwhile, Outlook provides the option to recall an email. However, it doesn’t guarantee that the email hasn’t already been read and usually applies within your organization only.

Ensuring Lawful Data Processing & Sharing

There are exceptions where data processing and sharing are lawful and GDPR compliant. These include the following:

    • Consent: If you’ve already provided legitimate consent, then it doesn’t have to be asked for again.

    • Contract: If you’ve signed a contract with a body, it can contain clauses that allow the body to use your personal data in the stipulated ways.

    • Vital Interests: Your personal data can be used in cases where it concerns your or someone else’s life.

    • Legitimate Interests: Bodies can use your personal data for legitimate business interests that are considered reasonable and low risk.

    • Public Tasks: Bodies can use your personal data for processes such as calculating tax or paying state support.

    • Legal Obligation: There are certain laws that require a body (e.g. your employer) to process your personal data.

Bulleted List

If in doubt, the Information Commissioner’s Office has an assessment tool that can provide guidance on whether a breach has occurred.

If so, employees should inform their company’s data security experts. An attempt must be made to recall the email. Alternatively, the incorrect recipient must be contacted and requested to delete the email.

Conclusion

An email breach can potentially cause significant damage to your company’s reputation and the safety of the email’s owner. In addition, the penalties for breaching the GDPR are drastic. Therefore, organizations cannot afford to ignore them.

Get a
Demo
NOW

Fill up the form for 20% off on subscriptions!

First Name
Last Name
Company Email Address
Company URL

About the Author: Janet Low

Janet Low, based in Delray Beach, Florida, is a dynamic marketing leader with expertise spanning the USA and Asia Pacific. Renowned for driving brand growth and championing responsible marketing, Janet is dedicated to mentoring professionals and shaping modern marketing landscapes.

Share This

Request a demo of our data privacy solution today and take control of your privacy strategy.

Get a
Demo
NOW

See how our platform ensures compliance and builds trust.

Discussion