Did you e-mail a client’s data to the wrong person? Now what?
Sometimes one misdirected e-mail can cost over €50K.
A Polish telecommunications company learned this the hard way when a recipient of misdirected e-mail complained about receiving it to the Polish data protection authority. The e-mail contained the personal data of one of the company’s subscribers. The company failed to inform the regulator and affected person about a breach within 24 hours, which violated the Polish Telecommunications Law, and led to a EUR 53K fine.
Even though this fine was not imposed for GDPR violations, in some situations, a single misdirected e-mail may also constitute a high-risk personal data breach (e. g., when misdirecting an e-mail containing another person’s special category data).
WALLESS experts share insights on how to manage such situations:
- Don’t rush; before clicking “send”, build a habit of checking who the recipient is (you may also automatically delay outgoing e-mails with attachments for a few minutes).
- Learn how to recall an e-mail so you don’t have to google this in urgent situations.
- If you mistakenly send an e-mail to the incorrect customer, assess the situation; if there is a threat to the rights and freedoms of data subjects, inform them and the supervisory authority immediately, but no later than 72 hours after the incident.
- Protect your e-mails to the clients with technical security measures (e. g., individualized passwords).
- Have a documented process for managing personal data breaches.
- Train your employees on how to identify and manage such incidents.
- Periodically ensure the accuracy of your client’s personal data.
This will ensure that your customer’s contact details are always up to date.
#GDPR #privacy #databreach