Can I loose my job for breaching data protection?

[fershuuu]

So I work for a company and we provide online learning courses.
Thursday I emailed 300 previous clients asking if they want to take part in another course.
I cc them all in by mistake so they all can see each others emails.
I've had a few emails back from them asking to speak with my manager as everyone can see everyone's email address and saying I've breached data protection.

Can I be sacked for this

You must quickly reveal the breach to your manager and expect a sanction of some sort.

It depends on the company and the circumstances, but yes you could be sacked for this. At my workplace you would be.

Surely just a email address visible isn't the end of the world ?
It wasn't personal info in email it was sent to all of them

Have you received adequate training in the role?

just report it factually to your boss, don’t try to minimise.

In all honesty, it depends.

You were using the email addresses for a legitimate purpose, your business should have a process in place to properly handle marketing emails so this doesn't happen, so if you bypassed the system, it could be considered misconduct.

What should happen is following your company's GDPR breech/IT policy and alerting your manager as soon as possible so a retraction and an apology sent. If you did this, you made a mistake, but then followed process and made best efforts.

Embarrassing mistakes happen! 300 emails will mean some people complain, however if these are work emails about a training course, it's hardly the stuff of high drama and as long as no confidential information or personal sensitive category data was shared it really is just a short lived mistake.

That would be an enormous issue in my line of work.

You can. However, many people have fallen foul of the cc/bcc that you have to specifically enable (and can reset without warning) each time IT update the system ever since the inception of email, so they may be less punitive if you tell them straight away - and assuming you aren't selling courses to ex offenders or victims of crime.

Have you at least tried to recall the message, so as to minimise the effect, maybe not all 300 have opened it yet?

The email addresses in themselves ARE personal information.

I understand where you’re coming from but don’t go to your boss with this attitude. Just own up ASAP, say sorry it was a human error, let’s look at what steps I can take to fix it.

The company should have a protocol for what to do, and someone should draft an email to send to everyone that was impacted.

Most people’s email address contains their first name or company name, sometimes both. In my line of work this would be a sackable offence.

Not sure about your emails, but for at least some systems, you can only recall internal emails and only if they haven't been opened.

The things that help me when breaches occur (and they do occur) is IMMEDIATELY reporting, taking it seriously, engaging with the measures to contain the breach, seeing training and taking the whole thing as a learning.

If you didn't tell me immediately, tried to cover it up, didn't take it seriously, yes, I would be very very worried about your role.

First thing tomorrow you need to tell your line manager what happened & how you’re going to make sure you don’t do it again. And for heaven’s sake don’t say anything like ‘it’s not the end of the world.’

If the emails are publicly available rather than personal you may be ok. It is a data breach though and sharing personal data may be grounds for misconduct. You need to admit and apologise.

As PP have said, the email is the personal information and many people would have strong feelings about it being shared with 300 people they didn't know without their consent. The only thing to do is own up to your manager and follow their lead. I have worked in places where this would be a sackable offence, but if they don't have a process in place for the task you were doing you could maybe try and reason with them...

Email addresses do count as personal info under GDPR. It should be reported to the Data Protection Officer at your firm asap and they would advise as to what remedial/mitigating steps need to be taken. Your company will have a policy. It might not lead to a fine, but if it does the fine gets worse the longer it takes for the firm to report the breach to the Information Commissioner’s Office.

Whether you face any consequences depends on what training you’ve had and how closely you’ve followed the relevant policies, I expect.

Please don't let posters like this scare you. It is vanishingly unlikely that you would be sacked for something like this unless it was eg a medical breach, which this wasn't.

The "bcc" trap happens so often, the ICO has specific guidance on it.

Tell your manager tomorrow or follow whatever procedures you have for data breaches and it will be ok.

BTW at my workplace we have a policy that breaches have to be formally reported (supervisor - minimum) within 24 hours, and as soon as possible. If you've been aware for days, that's worse.

Do you did this on Thursday and haven't notified your superiors yet??
I've had this happen to me and I was extremely angry with the company who sent my email address to over 200 other people - it was a highly confidential matter that I didn't want others knowing I was involved with.
You HAVE TO take this seriously as it is serious!

OP, it IS serious and you really shouldn't try to trivialise it like saying "it's only email addresses". That would be a massive red flag to a bull in most organisations. ANY breach of personal data disclosure IS a serious matter. You need to make full disclosure to your manager and also your organisation's designated data protection officer, with a grovelling apology etc. It's up to your organisation's data protection officer to decide how serious it is and what actions to take. At the very least, expect a written warning.

This. Personally, I’d be absolutely furious if 299 random people had been sent my email
address.

Sorry this has happened to you OP but in some organisations it could be a sackable offence. In Councils, for example, a breach of this nature would have to be declared to the Information Commissioner’s Office and the organisation involved could receive a hefty fine. You may not lose your job but you’ll probably get a written warning.

That is exactly the attitude that would get you sacked in a lot of places. With that view you are a liability.