Sent An Email To The Wrong Person? What UK Businesses Should Do Next

You’re moving fast, juggling customers, suppliers, your team, and admin - and then it happens: you’ve accidentally sent an email to the wrong person.

Sometimes it’s harmless (an invoice goes to the wrong “James”). Other times it’s a real issue (you’ve accidentally shared staff data, customer contact details, medical info, pricing, or commercially sensitive files).

For small businesses, an email mistake can feel personal and stressful. But legally, it can also become a data protection incident and/or a confidentiality breach.

Don’t panic. What matters most is what you do next. In this guide, we’ll walk you through the practical steps to take if you’ve sent an email to the wrong person, how GDPR applies, and how to reduce the chances of it happening again.

Why Sending An Email To The Wrong Person Can Be A Legal Problem For Your Business

If you’ve sent an email to the wrong person, there are usually two overlapping risks:

• Data protection risk (UK GDPR and the Data Protection Act 2018) - if the email includes personal data.
• Confidentiality / commercial risk - if the email includes confidential business information, trade secrets, pricing, contracts, or other sensitive information.

These risks aren’t just “big corporate” problems. In practice, many small business email incidents involve:

• Customer details (names, emails, addresses, order history)
• Invoices or payment details
• Staff HR emails (disciplinary, performance, pay, sickness)
• Spreadsheets with multiple customers’ info
• Supplier agreements, pricing, margin details
• Internal discussions accidentally forwarded externally

If personal data is involved, the key question becomes: is this a “personal data breach” under UK GDPR? If yes, you need to treat it as a compliance issue, not just an admin mistake.

Does GDPR Apply If You Sent An Email To The Wrong Person?

Often, yes.

Under the UK GDPR, a personal data breach is a security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

If you sent an email to the wrong person and it contains personal data (information about an identifiable individual), you may have made an unauthorised disclosure.

Examples Where GDPR Is Likely To Apply

• You emailed a customer list to the wrong external contact.
• You sent an invoice showing a customer’s address and purchase details to another customer.
• You sent an employee’s HR email (sickness info, performance notes, pay changes) to the wrong staff member.
• You attached the wrong document with names, emails, dates of birth, NI numbers, or bank details.

Examples Where GDPR Might Not Apply (But You Still Have A Problem)

• The email contains no personal data (e.g. a general product brochure, or non-sensitive company info).
• The email only includes truly anonymous information (no one is identifiable).
• The email went to someone within your business who was authorised and genuinely needed the information for their role (it may still be worth recording, but it may not be a “breach”).

If you’re unsure whether something counts as “personal data”, treat it seriously first and then assess it properly. It’s generally safer to investigate and document an incident than to assume it doesn’t matter.

Also note: if the email includes special category data (like health information), the risk level increases quickly. This is one reason it’s important to have strong internal rules on workplace data handling and a clear Acceptable Use Policy that covers email and device use.

What To Do Immediately After You’ve Sent An Email To The Wrong Person (A Practical Checklist)

When you’ve sent an email to the wrong person, speed matters - but so does being methodical. Here’s a practical “first 60 minutes” checklist you can use.

1) Confirm Exactly What Was Sent (And To Whom)

Before you do anything else, get the facts straight:

• Which email address received it (internal vs external, individual vs group)?
• What data was in the email body?
• What attachments were included (and what’s inside them)?
• Is the recipient likely to open it quickly?
• Can you technically recall/delete it (e.g. internal systems), and does that actually work in your setup?

A common mistake is assuming it was “just a small error”, only to later realise the attachment contained far more than intended.

2) Try To Contain The Disclosure

Containment is about reducing any further sharing or use.

• If it’s internal, contact your IT/admin team immediately to restrict access where possible.
• If it’s external, email the recipient straight away asking them to delete the email and attachments without opening or saving them.
• If you have a phone number, call as well - it’s often faster than email.

Keep your message short, polite, and clear. You don’t need to provide unnecessary details, but you should be honest about what you need them to do.

3) Ask For Confirmation In Writing

If the recipient confirms deletion, ask them to confirm (by reply email) that they have:

• Deleted the email
• Deleted any attachments
• Not saved, copied, forwarded, or shared the content

This won’t “undo” the breach on its own, but it’s very helpful evidence of containment and responsible action.

4) Escalate Internally (Don’t Keep It Quiet)

Email incidents often get worse when they’re hidden.

Escalate to whoever handles privacy/compliance in your business (even if that’s you as the founder). If you have a Data Protection Officer (DPO) or an external consultant, notify them early.

This is also where your internal policies matter. If you don’t already have a written process, it’s worth putting one in place as part of your wider GDPR package approach.

5) Start A Simple Incident Log

You should document what happened and what you did in response. Even for small businesses, a basic log helps you show accountability.

Include:

• Date/time it occurred
• Who sent the email
• Who received it
• What data was involved
• Containment steps taken
• Whether the data was deleted/confirmed
• Your assessment of the risk

This becomes important if you later need to notify the ICO, inform an individual, manage a complaint, or show that you acted responsibly.

Do You Need To Report It To The ICO Or Tell The Affected Person?

This is the big question most businesses ask after an email goes to the wrong recipient.

Under UK GDPR, you generally need to:

• Notify the ICO if the breach is likely to result in a risk to people’s rights and freedoms.
• Notify the affected individual(s) without undue delay if the breach is likely to result in a high risk to their rights and freedoms.

There’s also a timing point: if notification is required, you must usually notify the ICO within 72 hours of becoming aware of the breach.

How Do You Assess “Risk” In Real Life?

In practical terms, assess:

• Type of data: is it basic contact data, or special category data (health), or financial data?
• Volume: one person’s details vs a spreadsheet of 2,000 customers?
• Recipient: trusted supplier who confirms deletion vs unknown member of the public?
• Potential harm: could the person suffer identity fraud, financial loss, embarrassment, discrimination, or other harm?
• Ease of identification: does the email clearly identify individuals?

As a rough guide:

• If it’s an internal mis-send and access was restricted quickly, the risk may be low (though it still depends on what was shared and who received it).
• If it’s external and includes financial/health/HR data, the risk may be medium to high.
• If it’s a large dataset (like a customer list), treat it as potentially serious even if it seems “low sensitivity”.

What About Confidential Business Information (Not Personal Data)?

Even if the email doesn’t include personal data, you may still have contractual and commercial exposure. For example:

• A supplier contract might include confidentiality obligations.
• A client agreement might require you to notify them of any confidentiality breach.
• An employee may have misused information, triggering disciplinary steps.

This is where good contracting helps. Many businesses build confidentiality protection into their customer/supplier contracts and also into internal documentation such as an Employment Contract (often supported by workplace confidentiality rules in a staff handbook).

If you’re dealing with a sensitive commercial leak (pricing, strategy, or a deal), you might also consider sending a formal Private And Confidential style message to the unintended recipient requiring deletion and non-use.

How To Manage Confidentiality And Employment Issues After An Email Mistake

Sometimes the “wrong recipient” problem isn’t a customer - it’s an internal issue, like a team member accidentally sending sensitive files to the wrong client, or a manager emailing an employee’s HR information to another staff member.

In those cases, you need to manage:

• Privacy compliance (personal data breach handling)
• Employment process (investigation, training, potential disciplinary action)
• Culture and trust (how you communicate the issue internally)

Should You Treat It As Misconduct?

Not every mistake is misconduct. But you should consider:

• Was it an honest error or reckless behaviour?
• Were policies and training in place?
• Has the person made similar mistakes before?
• Was sensitive data involved (HR, health, financial, client lists)?

If you do need to take action, follow a fair process. For serious breaches, employers often consider whether the conduct could amount to gross misconduct, but that will depend heavily on context and proportionality.

Run A Proper Investigation (Even If It’s Quick)

If an employee sent an email to the wrong person, it’s good practice to:

• Hold a short fact-finding meeting
• Confirm what was sent and why it happened
• Check whether there were system issues (autocomplete problems, shared inboxes, unclear file naming)
• Confirm whether the employee understood your policies

The goal isn’t to blame - it’s to prevent repeat incidents and to show you manage privacy risks responsibly.

Communicate Carefully With Clients And Customers

If the email mistake involves customer data, you might need to contact the affected customer(s).

Keep your message:

• Clear (what happened, what data was involved)
• Action-focused (what you’ve done to contain it, what they should do if needed)
• Reassuring (you’re taking it seriously and improving controls)

Avoid over-sharing internal details or speculating. If you need a formal framework for how you handle personal data and complaints, your customer-facing Privacy Policy should align with what you actually do in practice.

How To Reduce The Risk Of Sending An Email To The Wrong Person Again

No system can guarantee this will never happen again. But you can reduce the likelihood and impact significantly with a few practical steps.

1) Tighten Your Internal Policies (And Make Them Usable)

Policies should reflect how your business actually operates. For example:

• Rules on using BCC vs CC for group emails
• Clear rules on when attachments can be used vs secure links
• Approval steps for sending bulk emails or sensitive HR/customer files
• Guidance on verifying recipients (especially where names are similar)

It also helps to set expectations about monitoring and acceptable use of business systems, particularly if personal devices are used for work. Many businesses cover this in an acceptable use and BYOD approach so everyone understands the boundaries.

2) Build A “Two-Step Check” Habit For High-Risk Emails

For emails containing sensitive information, implement a rule like:

• Double-check recipients before sending
• Double-check attachments match the email
• Where possible, have a second person review before sending (especially for bulk sends)

This adds 30 seconds, but it can save days of stress later.

3) Use Safer Ways To Share Files

Attachments are a common cause of high-impact mistakes because they can include far more information than intended.

Consider:

• Using password-protected files for sensitive information (shared separately)
• Sharing secure links with limited access instead of attachments
• Restricting forwarding and download options where possible
• Segmenting spreadsheets so you only send the minimum data needed

From a GDPR perspective, “data minimisation” matters - only share what’s needed for the specific purpose.

4) Train Your Team (Especially New Starters)

Training doesn’t have to be complicated. A short onboarding session covering:

• What counts as personal data
• Examples of sensitive/confidential information in your business
• Your internal process if someone sends an email to the wrong person
• Common traps (autocomplete, reply-all, forwarding chains)

…can dramatically reduce incidents.

5) Have A Data Breach Response Plan Ready

When something goes wrong, it’s much easier if you already have a plan that says:

• Who gets notified internally
• How to assess whether ICO notification is needed
• How to contact affected customers/staff
• How to document the incident

That’s the difference between “scrambling” and “responding”.

Key Takeaways

• If you’ve sent an email to the wrong person, treat it as a potential data incident first, then assess it calmly and methodically.
• UK GDPR can apply where the email includes personal data, and accidental disclosure may count as a personal data breach.
• Your immediate priorities are containment (stop further sharing), evidence (get deletion confirmation), and documentation (log what happened and what you did).
• You may need to notify the ICO within 72 hours if the breach is likely to risk people’s rights and freedoms, and you may need to inform individuals if the risk is high.
• Even where GDPR doesn’t apply, sending an email to the wrong person can still breach confidentiality obligations in contracts and create commercial risk.
• Prevention is practical: tighten policies, train your team, reduce attachment use, and keep a clear breach response plan ready to go.

If you’d like help tightening your data protection processes, updating your Privacy Policy, or putting the right workplace policies and contracts in place, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.