Email Sent To The Wrong Person Under UK GDPR: What To Do

Misdirected emails happen to even the most careful teams. One click on the wrong autocomplete suggestion, or accidentally using CC instead of BCC, and you’ve shared personal data with someone who shouldn’t have it.

Don’t panic - but do act quickly. Under UK GDPR and the Data Protection Act 2018, you’re required to take prompt steps to contain the breach, assess the risk, record what happened and, where necessary, notify the ICO and the affected individuals. Getting this right protects people’s data and reduces your regulatory risk.

In this guide, we break down exactly what to do if an email is sent to the wrong person, when it’s reportable, and how to prevent it from happening again - all in plain English for busy SME owners and managers.

What Counts As A Personal Data Breach Under UK GDPR?

Under UK GDPR, a “personal data breach” is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A misdirected email containing personal information clearly falls within “unauthorised disclosure”.

Personal data is any information relating to an identified or identifiable person (for example: full name, email address, phone number, customer ID, purchase history, an HR file, CVs, medical or financial details). If your email includes special category data (like health information) or criminal offence data, the stakes are higher because these are more sensitive.

Common scenarios include:

• Using CC instead of BCC for a customer newsletter, exposing everyone’s email addresses.
• Autofill sending an invoice or HR attachment to a supplier or ex-employee with a similar name.
• Reply-all forwarding customer complaints with contact details to multiple unintended recipients.
• Attaching the wrong spreadsheet (e.g. a customer list or payroll extract) to an external email.

All of these are personal data breaches. The key question is whether the breach is likely to result in a risk to people’s rights and freedoms. If so, you’ll need to notify the ICO within 72 hours of becoming aware.

Email Sent To The Wrong Person: Do You Need To Notify?

Not every misdirected email must be reported to the ICO. UK GDPR requires notification “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. In practice, you should quickly assess the real-world risk. Consider:

• Type of personal data: Names and email addresses create some risk; financial details, national insurance numbers, addresses or health data create higher risk.
• Volume of records: A single individual’s contact details is lower risk than 10,000 customers’ data.
• Recipient’s trustworthiness: Was it sent to a professional bound by confidentiality (e.g. a solicitor), a partner under contract, or a random member of the public?
• Containment: Can you recall the email? Will the recipient confirm deletion and not to share it?
• Special category data: Health, biometric, religious belief, etc. almost always increases risk.
• Security measures: Was the attachment encrypted or password-protected? Was the password shared separately?

If your assessment suggests a likely risk to individuals (e.g. potential identity fraud, financial loss, discrimination, reputational damage, distress), notify the ICO within 72 hours of awareness. If the risk is high, you’ll also need to tell affected individuals without undue delay.

Also consider the Privacy and Electronic Communications Regulations (PECR). If a marketing message went to unintended recipients without valid consent or PECR’s “soft opt-in”, you may have separate compliance issues even if the data exposure was minimal.

Immediate Steps To Take After A Misdirected Email

Speed matters. The first 24–72 hours are crucial.

1) Contain The Breach

• Issue an immediate recall of the email (use your platform’s recall/expiry features if available).
• Contact the unintended recipient promptly. Ask them to delete the email and any attachments, not to forward or save it, and to confirm in writing once done.
• If an attachment was password-protected, change the password and avoid sharing it again via the same channel.
• If your email platform supports it, revoke access to shared links or invalidate tokens.

2) Preserve Evidence And Start A Breach Record

• Save the sent item, message ID, recipient list, and any delivery or read receipts.
• Log the incident in your breach register with time of discovery, people involved, data types, and steps taken.
• Escalate to your Data Protection Officer (if you have one) or the nominated privacy lead.

3) Assess The Risk

• Identify exactly what personal data was exposed and how many people are affected.
• Determine whether the recipient could realistically misuse the data.
• Decide, with documented reasons, whether notification to the ICO and individuals is required.

4) Decide On Notifications

• If notifiable, prepare your ICO report with the facts, likely consequences, and measures taken or proposed. Submit within 72 hours of awareness where possible.
• If there’s a high risk to individuals, draft clear, plain-English notifications with practical advice (e.g. watch for phishing, consider credit checks if appropriate) and contact details for enquiries.

5) Implement Remedial Actions

• Review and tighten internal processes (e.g. disable reply-all, enforce BCC for bulk mailings).
• Deliver refresher training focused on misdirection risks and email hygiene.
• Consider technical controls like DLP rules, “external recipient” prompts, and delay send.

Having a structured incident procedure ready to go saves time and reduces mistakes. Many SMEs formalise this in a Data Breach Response Plan so the team knows who to notify, which steps to follow, and how to document decisions.

Assessing Risk, ICO Notification And Telling Individuals

Your risk assessment should be pragmatic and well documented. The ICO will expect to see why you did or didn’t notify and how you mitigated harm. Here’s how to approach it.

When To Notify The ICO

Notify the ICO without undue delay (and within 72 hours of becoming aware) if the breach is likely to result in a risk to individuals’ rights and freedoms. Examples that often meet this threshold include:

• Exposure of special category data (e.g. medical information in an HR file) to an unintended recipient.
• Bulk exposure of contact details (e.g. mass CC error) where phishing or harassment is plausible.
• Disclosure of identity documents, financial information, or login credentials.

If you miss the 72-hour window, you must explain the delay in your notification. If you decide not to notify, record your reasons - this record-keeping is a GDPR duty in itself.

When To Tell Individuals

Tell affected individuals “without undue delay” if the breach is likely to result in a high risk to their rights and freedoms. Your message should:

• Explain what happened in simple terms (avoid technical jargon).
• Describe what data is involved and potential consequences.
• Set out what you’ve done to mitigate harm and what they can do next.
• Provide a contact point for questions and complaints.

If you’ve effectively neutralised the risk (e.g. strong encryption and the key wasn’t compromised, or you have credible written confirmation of deletion from a trusted recipient), you may not need to contact individuals - but document why.

What To Include In Your Breach Record

Article 33(5) UK GDPR requires you to document all breaches, whether or not notifiable. Your internal record should cover:

• The facts (dates, times, systems, recipients).
• The data subjects and categories of personal data affected.
• The likely consequences and your risk assessment.
• Actions taken to address the breach and prevent recurrence.

This record will support your position if the ICO asks questions later.

Ongoing Duties: Record-Keeping, SARs And Remediation

Breaches don’t happen in isolation. You’ll often see follow-on obligations and queries.

Subject Access Requests (SARs) And Complaints

Breaches can trigger SARs as individuals check what you hold and how you process it. Make sure you can locate the data quickly, verify identity, and respond within the statutory one-month timeframe (with limited scope to extend in complex cases). Practical guidance on handling requests and deadlines can be found in resources like Subject Access Requests and GDPR Response Deadlines.

Deletion And Data Minimisation

Review whether you’re collecting and retaining more personal data than necessary. Reducing the volume retained reduces the impact of any future breach. If individuals ask you to erase their data, ensure you understand when you must delete and when exemptions apply - this is explained in GDPR Data Deletion.

Policy And Process Improvements

After a breach, regulators expect you to learn and improve. Common actions include:

• Updating your Privacy Policy so it clearly explains your processing, sharing, and contact details.
• Refreshing staff training on email hygiene, BCC usage, and handling personal data.
• Strengthening contracts with suppliers that handle data on your behalf using a robust Data Processing Agreement.
• Testing your incident response end-to-end using tabletop exercises.

Preventing Future Email Breaches In Your Business

Prevention is better than cure. A few practical controls make misdirected emails far less likely - and even if one slips through, they can significantly lower the risk.

People: Training And Culture

• Short, frequent training on common pitfalls (autocomplete, reply-all, wrong attachments, BCC vs CC).
• Clear desk and clear screen habits; pause-and-check before sending sensitive emails.
• Champion a “report early, report often” culture so near-misses are surfaced and fixed.

Process: Checklists And Approvals

• For bulk communications, require a second pair of eyes to verify the recipient list and BCC settings.
• Adopt templates that exclude personal data where possible; share via secure portals for sensitive material.
• Set sensible retention rules so old mailing lists and exports are regularly purged.

Technology: Practical Email Safeguards

• Enable “external recipient” warnings and consider blocking emails to newly added external domains until confirmed.
• Use “delay send” (e.g. 2–5 minutes) so users can cancel if they spot an error.
• Data Loss Prevention (DLP) rules to flag or block emails containing national insurance numbers, bank details or large recipient lists.
• Encrypt sensitive attachments and share passwords through a different channel.
• Use sensitivity labels and automatic BCC enforcement for bulk sends.
• For marketing, consider platforms that handle unsubscribe and list hygiene to reduce PECR risk.

Key Legal Documents To Put In Place

• Privacy Governance: A concise internal policy and a public-facing Privacy Policy that matches your actual practices.
• Incident Playbook: A practical Data Breach Response Plan with roles, timelines, templates and escalation paths.
• Processor Contracts: A controller–processor Data Processing Agreement with required UK GDPR clauses and security commitments.
• Web Compliance: If you rely on cookies or tracking, implement consent mechanisms that meet PECR/UK GDPR - these tips on Cookie Banners can help you align practice with policy.

It can feel like a lot, but small steps add up. Start with higher-impact changes (training, BCC enforcement, delay send), then tackle policies and contracts so your legal foundation matches your tech and processes.

Key Takeaways

• A misdirected email is a personal data breach if it discloses personal data to someone who shouldn’t have it. Treat it seriously, but don’t panic - prompt action is what matters.
• Contain first: recall the message where possible, contact the recipient, and secure deletion. Preserve evidence and open an incident record immediately.
• Assess risk to individuals. If there’s likely risk, notify the ICO within 72 hours; if there’s high risk, inform affected individuals without undue delay.
• Document everything: facts, data types, risk assessment, decisions, notifications, and remediation. You must keep a breach record even if you don’t notify.
• Expect follow-on requests. Be ready to handle SARs within deadlines and consider erasure requests where applicable using a clear, consistent process.
• Prevent recurrence with training, process checks and technology (DLP, delay send, BCC enforcement, encryption). Back this up with a practical Data Breach Response Plan, an accurate Privacy Policy, and strong Data Processing Agreements.

If you’ve had an email go to the wrong person and want tailored advice on your notification decision, incident response or prevention measures, we’re here to help. You can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.