A £200,000 fine for one email. Could your ‘sent items’ leave you in hot water?

Last year whilst working in-house for a firm, I received an email from HR stating my pay grade and inviting me to apply to attend a course to improve my career progression within the organisation. What a nice idea you may think? Well, it would have been nice if it had been addressed just to me; alas no it wasn’t. The email included details of all of the people on the same grade and those on the grade above! I was somewhat miffed and explained the GDPR implications to HR. I have been reassured that all involved have now been fully trained and this won’t happen again.

A similar thing happened (with potentially much more serious implications) when the Independent Inquiry into Child Sexual Abuse sent a mass email that identified possible abuse victims. The problem arose after a member of staff emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses. Fifty-two of the email addresses contained full names or had a full name label attached. The Inquiry was fined £200,000 by the ICO.

To avoid unnecessary and unwanted hefty fines, it is essential that employees are given guidance on the dos and don’ts of email etiquette. These types of mistakes are easy to commit, either through a slip of the finger or forgetting to double check an email you’re about to send, therefore it is crucial to invest in the relevant training to make sure your business is protected. Here are a few tips you may want to consider:

-Check email addresses accurately before you press ‘send’. When handling confidential matters or personal data, remember to be particularly wary of auto-fill so that you do not send anything compromising to the wrong recipient without realising it.

-Use ‘bcc’ wherever possible to avoid circulating email addresses to people who do not have a legal justification for receiving them.

-When forwarding an email, read the whole email chain first and delete any personal data or information in the chain that should not be forwarded to the new recipient. (This is good business sense in any event and avoids embarrassing and potentially detrimental email messages being sent outside of the organisation).

-When attachments include personal data, make sure they are password protected with the password sent in a separate email or communicated in a different manner such as by text message.

-When a person asks for their email details to be removed from your system, unless you have another legal basis for retaining them, ensure they are deleted from all your records (including databases you no longer use) and that all employees know not to contact that person again.

Haddleton Academy offers online GDPR training to help your employees develop a better understanding of data protection and compliance. Our courses are written by lawyers in an accessible format that is easy to use and understand. Find out more at www.haddletonacademy.com

Written by Jill Chamberlain, Senior Commercial Solicitor
Back to news

Stay in the loop

Stay in the loop on matters that affect you by submitting your details here