Sent Email to the Wrong Person? Legal Steps for UK Businesses

It happens to the best of us: you hit send, then realise the email went to the wrong person. As a small business, a misdirected email can feel like a minor slip - but under UK law, it can amount to a personal data breach with real legal and reputational consequences.

Don’t panic. With a clear plan and the right policies, you can handle incidents quickly, meet your data protection obligations, and reduce the risk of harm. In this guide, we’ll walk through what UK GDPR requires, when to notify the ICO, practical containment steps, and how to set up your business so you’re protected from day one.

What Counts As A Personal Data Breach When An Email Is Sent To The Wrong Person?

Under the UK GDPR (and the Data Protection Act 2018), a personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Sending an email to the wrong recipient is a classic example because it’s an unauthorised disclosure.

It doesn’t matter whether the recipient actually read the email - the fact that it was accessible to someone who wasn’t meant to receive it can be enough to trigger breach assessment obligations. The key question is whether the incident risks the rights and freedoms of the affected individual(s).

Risk is context-specific. Ask yourself:

• What personal data was in the email or attachments (names, addresses, financial details, health information, ID numbers)?
• Is any of it special category data (e.g. health, biometric, racial or ethnic origin)? This raises the risk level.
• How many people are affected (a single customer vs a list of hundreds)?
• Who received it (a trusted professional subject to confidentiality, or a member of the public)?
• Was the data protected (encrypted attachments, password protection shared separately)?
• How quickly can you contain it (can the recipient delete it before opening, confirm destruction, or return the email)?

If the email contains only your own internal commentary and no personal data, it may still raise confidentiality or employment issues, but it’s less likely to be a UK GDPR breach. However, many day-to-day emails do contain personal data (customer names, addresses, order details, CVs), so perform a quick and thorough assessment every time.

Immediate Steps To Take If An Email Is Sent To The Wrong Person

Speed and documentation matter. A calm, structured response shows you take privacy seriously and often mitigates harm.

1) Contain The Breach

• Recall the email if your platform offers it (e.g. Microsoft 365) - but don’t rely on recall as your only mitigation.
• Immediately email or call the unintended recipient, explain that the message was sent in error, and ask them not to read, copy, forward, or save it.
• Request written confirmation that they’ve deleted the email and any attachments from their inbox and trash. If feasible, ask for screenshots confirming deletion.
• If attachments were password-protected and the password has not been shared, keep it that way. If already shared, change the password.
• Where recipients are other organisations, ask their data protection lead to confirm deletion and non-use in writing.

2) Verify What Was Disclosed

• Identify exactly which personal data was included and whether any special category data is involved.
• Confirm the number of data subjects and whether they are vulnerable individuals (e.g. children).
• Check whether the email thread contains earlier replies/forwards or inline content with additional personal data.

3) Assess Risk And Decide On Notifications

• Document the risk assessment: what data, who received it, mitigation steps, and your reasoning around risk to rights and freedoms.
• Determine whether the breach is notifiable to the ICO and whether you must inform affected individuals (more on this below).

4) Record It In Your Breach Log

UK GDPR requires organisations to keep an internal record of all personal data breaches, even if you decide not to notify. Your record should include facts, effects, and remedial actions taken. Keeping a consistent log is much easier if you adopt a simple Data Breach Response Plan and a standard incident report template.

5) Follow Up Internally

• Notify your data protection lead or senior manager promptly.
• Consider whether to retrain staff or adjust processes (e.g. disabling auto-complete, adding a second check for sensitive emails, using secure portals).
• Review whether any contractual obligations require you to notify partners as part of your Data Processing Agreement.

Do You Need To Notify The ICO Or The Individuals?

Not every misdirected email requires notification. The test is whether the breach is likely to result in a risk (for ICO notification) or a high risk (for individual notification) to the rights and freedoms of the individuals affected.

Notifying The ICO (Within 72 Hours)

If your assessment concludes the breach is likely to result in a risk to people’s rights and freedoms, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. If you miss the 72-hour window, you need to explain the delay.

In practice, a single misdirected email might be notifiable if it contains sensitive details (e.g. medical information, bank details, national insurance numbers), affects multiple individuals, or went to an unknown or untrusted recipient. If the email was encrypted, the password wasn’t shared, and the recipient confirmed deletion, risk may be low - but you still need a reasoned and documented decision.

Informing Affected Individuals (Without Undue Delay)

If the breach is likely to result in a high risk to individuals, you must also inform them without undue delay. Your notice should be clear and in plain English, telling people:

• What happened and when
• What data was involved
• What you’ve done to contain it
• What they can do to protect themselves (e.g. vigilance for phishing, change passwords if relevant)
• How to contact you about the incident

It’s good practice to align your response with your privacy complaint procedure so that if a customer complains or submits a data protection request, your team follows a consistent process.

If You Decide Not To Notify

If the risk is minimal and you have strong mitigation (e.g. the recipient is a regulated professional who confirmed deletion; the data was anonymised; or the attachment was encrypted and inaccessible), you may decide not to notify the ICO or the individuals. That’s acceptable - but record your decision and rationale in your breach log.

If the misdirected email triggers any subject access requests from affected individuals, handle those within the standard timeframes.

Employment, Contracts And Policies: Prevent And Respond Internally

Most misdirected emails are human error. This is where training, policies and practical controls make all the difference. The UK GDPR requires “appropriate technical and organisational measures” - that includes how you train your staff and the policies you operate.

Policies To Have In Place

• Privacy Policy that explains how you handle personal data and people’s rights;
• Clear Workplace Policy guidance on email etiquette, handling personal data, and incident reporting;
• Security policies covering strong passwords, MFA, encryption for attachments, and rules for sending sensitive data;
• An incident management process and a documented Data Breach Response Plan that staff can follow;
• Guidance for remote work and BYOD devices (e.g. using company email apps with remote wipe enabled);
• Internal reporting steps that make it safe and easy to escalate mistakes quickly (so you can contain issues early).

Training And Culture

Regular, role-based training is essential. Focus on practical habits that reduce error, like:

• Double-checking recipients; turning off auto-complete; using distribution lists carefully;
• Marking confidential threads; sending sensitive data via secure portals rather than email;
• Using delayed send features (e.g. a 2-minute delay) so you can cancel in time;
• Protecting attachments with passwords communicated via a different channel;
• Recognising and reporting incidents immediately - the earlier you act, the lower the risk.

If a misdirected email exposes business information (pricing, strategy, contracts) rather than personal data, it may still amount to a breach of confidentiality. Having robust processes for managing confidentiality breaches at work will help you respond consistently.

Contracts With Suppliers And Processors

If third parties process personal data on your behalf (cloud tools, CRM systems, outsourced support), UK GDPR requires a written contract with specific clauses. A solid Data Processing Agreement should require processors to assist you with breach notifications and promptly inform you of any incidents. Review your vendor DPAs to confirm they’ll cooperate quickly if a misdirected email originates in their system or affects their users.

Technical And Organisational Measures To Prevent Misdirected Emails

Prevention is better than cure. A few small controls significantly reduce the chance - and impact - of sending an email to the wrong person.

Practical Email Safeguards

• Delayed Send: Configure a short delay on outgoing emails to allow last-second cancellation.
• External Recipient Warnings: Use banners that flag emails to new or external recipients.
• Attachment Guardrails: Prompt users to confirm before sending attachments, especially spreadsheets or PDFs with personal data.
• Domain Similarity Alerts: Warn users if they email lookalike domains (e.g. mybiz.co vs mybiz.com).
• Disable Auto-Complete Or Restrict It: Limit predictive suggestions; require manual checks for sensitive messages.
• DLP (Data Loss Prevention) Rules: Automatically detect and block emails containing patterns like NI numbers or bank details unless approved.
• Encryption: Encrypt sensitive emails and require passwords for attachments, shared via a separate channel.

Process Improvements

• Use Secure Portals: For invoices, HR files, or health data, consider secure portals rather than email.
• Template Warnings: Add template prompts reminding staff to check recipients before sending sensitive content.
• Two-Person Checks: For bulk sends to customers or staff, require a second person to review the recipient list.
• Least Data Principle: Only include what’s necessary. If an attachment can be redacted or summarised, do so.
• Retention And Deletion: Reduce what’s in mailboxes by applying sensible retention policies and regular data deletion cycles.

These measures support your legal obligation to implement “appropriate” safeguards and will also demonstrate to the ICO that you take data protection seriously if an incident occurs.

Common Scenarios And How To Handle Them

Scenario 1: Single Customer Email With Order Details Sent To Another Customer

Risk factors: Low to moderate, depending on sensitivity. Names, addresses and order details are personal data, but not usually special category data.

Actions: Immediate containment (request deletion), document the breach, assess risk. If contained promptly with deletion confirmed, ICO notification may not be required. Consider notifying the affected customer if you judge any risk of harm or confusion. Review process to avoid similar errors (e.g. delayed send, turn off auto-complete).

Scenario 2: HR Email Containing Health Information Sent To A Supplier Contact

Risk factors: High - special category data (health). Unknown recipient context increases risk.

Actions: Urgent containment and written deletion confirmation. Record and conduct a thorough risk assessment. Likely notify the ICO within 72 hours and inform the affected individual without undue delay, explaining steps taken and support available. Review HR processes for sharing health data (use secure portal, encrypt attachments).

Scenario 3: Investor Update With Attached Cap Table Sent To The Wrong Group

Risk factors: Moderate to high - potential exposure of personal data (names, emails, shareholdings). Reputational impact and confidentiality issues.

Actions: Contain, confirm deletion, and assess risk. Depending on scope and the recipients, ICO notification may be appropriate. Consider contractual and confidentiality implications. Strengthen approval processes for bulk mailings (second reviewer; DLP rules for spreadsheets).

Scenario 4: Marketing Mail Merge To The Wrong Segment

Risk factors: Varies. If the content includes personalised details or exposes emails to other recipients (e.g. using CC instead of BCC), risk rises significantly.

Actions: Stop the send, contain where possible, and document. If personal emails were revealed to other recipients, assess the risk and consider notifying affected individuals and the ICO depending on scale. Review email platform settings and staff training for list management, and ensure your lawful basis and opt-out processes align with your Terms of Use and email practices.

How To Communicate With Affected People (And What To Avoid)

Clarity and empathy go a long way. If you decide to notify individuals, keep it concise and useful.

• Use plain English – avoid jargon.
• Be transparent about what happened and when.
• Explain what data was affected and practical steps they can take (e.g. caution around suspicious emails).
• Give a direct contact for questions or complaints, consistent with your privacy complaint procedure.
• Avoid blaming language or speculation; stick to facts you’ve verified.

If the incident escalates into a complaint or claim, respond calmly, follow your process, and consider legal advice. Where a person requests copies of their data or an explanation, treat it as a potential subject access request.

Set Your Legal Foundations Now (So You’re Protected Next Time)

The best time to prepare for a misdirected email is before it happens. A few simple legal and operational building blocks make your response faster and reduce the chance of harm:

• Publish and maintain an up-to-date Privacy Policy that reflects your actual practices.
• Adopt a clear Data Breach Response Plan and train staff on it regularly.
• Use strong vendor contracts with a robust Data Processing Agreement so processors must assist with incidents.
• Roll out practical, human-proof controls (delayed send, DLP, encryption, secure portals, second checks for bulk mailings).
• Embed expectations in your Workplace Policy and refresh training at least annually.
• Keep inboxes lean with sensible retention and routine data deletion practices.

If this sounds like a lot to juggle, don’t worry - once these foundations are in place, you’ll be able to act quickly and confidently if someone in your team ever sends an email to the wrong person.

Key Takeaways

• Sending an email to the wrong person is often a personal data breach under UK GDPR because it’s an unauthorised disclosure of personal data.
• Act fast: contain the breach, get deletion confirmations, document what happened, and assess the risk to individuals’ rights and freedoms.
• Notify the ICO within 72 hours if the breach is likely to pose a risk, and inform individuals without undue delay if the risk is high - always record your reasoning either way.
• Strong policies, training and contracts are essential: have a clear Privacy Policy, a practical Data Breach Response Plan, and a robust Data Processing Agreement with processors.
• Technical and organisational measures - delayed send, DLP, encryption, secure portals, and second-person checks - dramatically reduce both the likelihood and impact of misdirected emails.
• Build a culture of prompt reporting and steady response; treat related requests like subject access requests or complaints through your established processes.

If you’d like tailored help responding to an incident or setting up your policies and contracts so you’re protected from day one, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.