From time to time we hear about data protection breaches involving personal data emailed to the wrong recipient. The question is, what do you do if this has happened?

Steps to take if personal data has been sent to the wrong recipient

Before you take any action, it’s important to determine whether the data breach poses a high risk to the individual’s rights and freedoms. The General Data Protection Regulation states that personal data which is, by its nature, particularly sensitive in terms of fundamental rights and freedoms, merits specific protection because the context of processing special categories of data that include information on a person’s health, for instance, may pose significant risks to those fundamental rights and freedoms. In that case you should take the following steps:

• Contact the persons having received the data and ask them to delete it and not to forward it.
• Contact the data subject and explain the breach or organise public notification.
• The data protection authority must be notified immediately but no later than 72 hours after the breach became known to the controller. If a delay occurs, the reason must be stated.
• Prepare your internal documentation for the data breach.¹

The controller is not required to notify the data subject about a data protection breach where adequate security measures have been taken, including data encryption or other measures preventing unauthorised access.²

If the data breach has done no harm and is unlikely to pose any risk to the individual’s rights and freedoms, you should take the following steps:

• Contact the persons having received the data and ask them to delete it and not to forward it.
• Prepare your internal documentation for the data breach.

In contacting the person whose data has been sent to the wrong addressee and the person having received it, you should follow the principle of transparency. This means that all the information that is addressed to the data recipient, company or data subject should be concise, readily accessible and easy to understand. Moreover, the language should be clear and plain.

How to avoid data protection breaches?

To prevent data protection breaches, it’s advisable to set up requirements for data protection:

• Draw up standards for sending letters and email messages.
• Train your staff about how to send letters and email messages.
• Prepare training courses and manuals on how to handle cases that cause a personal data protection breach and who should be notified.
• Raise awareness of common mistakes that may cause data protection breaches.
• Disable the autocomplete feature when entering email addresses.
• Take other suitable measures that can help protect personal data and prevent breaches.³