A £200,000 fine for one email. Could your ‘sent items’ leave you in hot water?

By James Haddleton
|
20th May 2019
|
3 min read

Last year whilst working in-house for a firm, I received an email from HR stating my pay grade and inviting me to apply to attend a course to improve my career progression within the organisation. What a nice idea you may think? Well, it would have been nice if it had been addressed just to me; alas no it wasn’t. The email included details of all of the people on the same grade and those on the grade above! I was somewhat miffed and explained the GDPR implications to HR. I have been reassured that all involved have now been fully trained and this won’t happen again.

A similar thing happened (with potentially much more serious implications) when the Independent Inquiry into Child Sexual Abuse sent a mass email that identified possible abuse victims. The problem arose after a member of staff emailed 90 people using the “to” field instead of the “bcc” field – allowing recipients to see each other’s addresses. Fifty-two of the email addresses contained full names or had a full name label attached. The Inquiry was fined £200,000 by the ICO.

To avoid unnecessary and unwanted hefty fines, it is essential that employees are given guidance on the dos and don’ts of email etiquette. These types of mistakes are easy to commit, either through a slip of the finger or forgetting to double check an email you’re about to send, therefore it is crucial to invest in the relevant training to make sure your business is protected. Here are a few tips you may want to consider:

-Check email addresses accurately before you press ‘send’. When handling confidential matters or personal data, remember to be particularly wary of auto-fill so that you do not send anything compromising to the wrong recipient without realising it.

-Use ‘bcc’ wherever possible to avoid circulating email addresses to people who do not have a legal justification for receiving them.

-When forwarding an email, read the whole email chain first and delete any personal data or information in the chain that should not be forwarded to the new recipient. (This is good business sense in any event and avoids embarrassing and potentially detrimental email messages being sent outside of the organisation).

-When attachments include personal data, make sure they are password protected with the password sent in a separate email or communicated in a different manner such as by text message.

-When a person asks for their email details to be removed from your system, unless you have another legal basis for retaining them, ensure they are deleted from all your records (including databases you no longer use) and that all employees know not to contact that person again.

Haddleton Academy offers online GDPR training to help your employees develop a better understanding of data protection and compliance. Our courses are written by lawyers in an accessible format that is easy to use and understand. Find out more at www.haddletonacademy.com

040 sq
Written by Jill Chamberlain, Senior Commercial Solicitor

Written By:

Avatar photo
James Haddleton
James is CEO of Haddletons, as well as a senior lawyer. James worked for 25 years at two major commercial law firms and then as Group Legal Counsel and Company Secretary at an AIM-listed pharmaceutical company. There, he developed a legal team and led projects to reduce risk and improve the quality and efficiency of its contracting, governance and compliance systems.