Question re data protection

willhub · 25 May 2020 at 18:46

Just looking for some information.

If for example someone did some processing for 10 people, got 10 email confirmations with personal information that they needed to then sent to their manager, but actually what happened is this was accidentally sent to an individual outside of the organisation with the same initials as manager

This would constitute a data protection breach, but what would the consequences for the individual be?

This is absolutely not relating to myself, but as far as the above goes, is a scenario.

Diddums · 25 May 2020 at 18:52

Full investigation likely. Outcome will depend on the findings.

swillsy · 25 May 2020 at 18:53

How many people does the organisatino employ??? GDPR regulations....The second exception is for organizations with fewer than 250 employees.

willhub · 25 May 2020 at 18:54

swillsy said:
How many people does the organisatino employ??? GDPR regulations....The second exception is for organizations with fewer than 250 employees.

Hundreds of thousands

Rroff · 25 May 2020 at 18:58

Your organisation should have someone this should be reported to (data controller, etc.) who'd then decide how to proceed - timely reporting of a breach, etc. makes a huge difference in the potential consequences.

decmatt · 25 May 2020 at 20:26

If hundreds and thousands, you should report to your Data Protection Officer (DPO).

The DPO will then contact the ICO to report that a breach has happened. Not knowing the PII that was given, I would expect if its training details for it to be names and job titles, so they should contact the outside organisation to delete the contents of that email, and get an email confirming that it has been deleted. The outside organisation for a company having hundreds of thousands of employees, I would expect to be on an approved domain list which would have some form of contract. That contract would have a GDPR clause in these events that they will react as the organisation contacted them (delete the email). This will then be tracked and attached to a data breach ticket, such as onetrust.

willhub · 25 May 2020 at 21:39

Well the contact outside in this example is just a business customer.

BDEE · 27 May 2020 at 12:09

I have had members of staff do something similar - On such a small scale like this, depending on the actual data, it would usually be classed as a low risk breach. So things like names and addresses. A lot of the time the classification can be down to the amount of data, rather than what was actually contained within it as well.

If it is the first time it has happened and assuming that email was the correct and approved method of transmission for the information, then I wouldn't expect anything other than something documented in their 121 to establish the root cause and ensuring measures are in place to stop it happening again.

It is also very unlikely at that level of data that it will go anywhere beyond the internal company processes.

I have had full customer data, names, address, financial information etc sent to the incorrect customers before - Human error happens - I haven't ever had to do anything more than the above. If I were to start seeing repeat issues then it would likely invoke capability and / or disciplinary proceedings.

ivrytwr3 · 28 May 2020 at 07:29

Depends on the PII - home addresses, personal mobile numbers etc, then the sender should have recalled the email, if not possible, send an email to the recipients apologising and request they delete the email and that the issue has been reported to the DPO.

DPO reports the breach to the ICO or their Data Protection governing body and an investigation takes place.