Did you e-mail a client’s data to the wrong person? Now what?

Sometimes one misdirected e-mail can cost over €50K.

A Polish telecommunications company learned this the hard way when a recipient of misdirected e-mail complained about receiving it to the Polish data protection authority. The e-mail contained the personal data of one of the company’s subscribers. The company failed to inform the regulator and affected person about a breach within 24 hours, which violated the Polish Telecommunications Law, and led to a EUR 53K fine.
Even though this fine was not imposed for GDPR violations, in some situations, a single misdirected e-mail may also constitute a high-risk personal data breach (e. g., when misdirecting an e-mail containing another person’s special category data).

WALLESS experts share insights on how to manage such situations:

• Don’t rush; before clicking “send”, build a habit of checking who the recipient is (you may also automatically delay outgoing e-mails with attachments for a few minutes).
• Learn how to recall an e-mail so you don’t have to google this in urgent situations.
• If you mistakenly send an e-mail to the incorrect customer, assess the situation; if there is a threat to the rights and freedoms of data subjects, inform them and the supervisory authority immediately, but no later than 72 hours after the incident.
• Protect your e-mails to the clients with technical security measures (e. g., individualized passwords).
• Have a documented process for managing personal data breaches.
• Train your employees on how to identify and manage such incidents.
• Periodically ensure the accuracy of your client’s personal data.

This will ensure that your customer’s contact details are always up to date.

#GDPR #privacy #databreach