Numpty Nigel presses ‘Send’

We’ve all done it. We hit ‘Send’ and then scramble to try and get the email back, or stop it sending. That sinking feeling as we realise that the email has gone. The mistake has been made. And we have to face the consequences. What is worse is where the mistake leaves a person worried that their organisation may have to report their mistake to the regulator and they may have just lost their job. That is the most common data breach we come across at the The Privacy Compliance Hub (although we’ve never seen anyone lose their job over it).

By Nigel Jones

Co Founder of The Privacy Compliance Hub

April 2020

Numpty 2

Each of the ‘Privacy Fails’ we discuss in this series of short articles are real.  They are based on things we have seen at the The Privacy Compliance Hub.  They are based on reports from regulators of the complaints they have received; the data breaches reported to them; and the fines and other enforcement actions they have levied.  These things do happen. A lot. Don’t let them happen to you. Don’t be a numpty.

The privacy fail

The most common data breach of this sort is sending an email to a long list of recipients (for example customers).  The email addresses constitute personal data. And you have just disclosed (or processed) that personal data without any legal basis (such as consent) for doing so.  The person who makes the error realises that instead of copying and pasting all the email addresses into the ‘Send to’ box, they should have put them in the ‘bcc’ box.  They immediately get that sinking feeling when the first complaint is received by way of reply from one of the disgruntled recipients.

Other examples include sending letters (or emails) containing personal data to the wrong address.  The Irish regulator (the DPC) even includes sending faxes (remember those?) to the wrong fax number in the same category.

A privacy statistic

A whopping 83% of data breaches in Ireland in 2019 were caused by unauthorised disclosure of personal data such as this.  In the UK, two of the top five data breaches fall into this category. The first, personal data posted or faxed to the wrong recipient amounted to 10.2% of all data breaches in Q3 of 2019/20.  This was closely followed by personal data emailed to the wrong recipient at 9.6%.

Real life example(s) with real life consequences

In 2016, an NHS Trust was fined £180,000 after a sexual health centre mistakenly disclosed the details of nearly 800 patients.  In 2019 a London gender identity clinic mistakenly disclosed the email addresses of almost 2000 patients.  Both cases involved the failure to use the bcc function.

In 2018, the UK government was forced to settle a claim made by an asylum seeker when their details were disclosed to their Middle East country of origin, thereby allegedly endangering their life and the lives of their family members.

How to avoid this privacy fail

Train your staff.  Make them understand how easy it is to make such a mistake.  Make them care by explaining the possible consequences of getting things wrong.  And make them do what you train them to do.  This is all part of creating any culture of continuous privacy compliance.

Some email software allows you to ‘Undo send’.  For example, if you go to ‘Settings’ in Gmail, you can go to ‘Undo send’ and set a maximum time of 30 seconds in which to unsend an email.  This may be all the time you need given that in our experience you realise your mistake immediately after you have hit the send button! In Outlook you can set a rule to delay all outgoing email by longer than the maximum of 30 seconds which Gmail gives you.

Be really, really, really careful with ‘copy and paste’.  I know, easier said than done. But if you do train your staff and remind your staff to be careful, then it may just save you having to notify your organisation to the regulator.

Finally, if a mistake is made (and everyone does make mistakes) and you are deciding whether you do need to notify the regulator or the individual or individuals concerned, you are likely to find this article very useful.  Be careful, under the GDPR you only have 72 hours to notify.

Watch this short promotional video for our simple online GDPR training which enables you to train your staff wherever they are and reduce the risk of data breach.


A culture of continuous privacy compliance

At The Privacy Compliance Hub, we help organisations establish and maintain a culture of continuous privacy compliance by making everyone in an organisation understand privacy, care about privacy and do their bit to protect personal information.  Our platform contains a structure, a programme, a route map, records, information, reporting and training to enable all organisations to build that culture and comply with privacy rules including the GDPR and the CCPA.  It reduces the risk of data breach.

Numpty Nigel

Numpty Nigel’ is fictional.  He is not based on any person living or dead.  Any resemblance or similarity to any person living or dead is purely coincidental.  It’s just that one of our Co Founders is called Nigel.  He is not a numpty.  But he does think that ‘Numpty Nigel’ sounds funny.  And the name Nigel is slowly dying out.  So this series of articles is for all the Nigels out there.

More to watch and read