Can I loose my job for breaching data protection?

[fershuuu]

So I work for a company and we provide online learning courses.
Thursday I emailed 300 previous clients asking if they want to take part in another course.
I cc them all in by mistake so they all can see each others emails.
I've had a few emails back from them asking to speak with my manager as everyone can see everyone's email address and saying I've breached data protection.

Can I be sacked for this

It's pretty unlikely this would attract any fine, let alone a hefty one.

This alone shows that you don't have adequate GDPR training.

If you haven't done so already, you need to report this immediately.

What, posters who work in Data Protection and who are responsible for holding these meetings for employees who breach them?😂 Ah yes don’t listen to someone who can speak from experience and knowledge.

Email addresses are classified as personal information under the 2018 Act, and businesses can be fined huge amounts of money for breaching.

Plus the damage that can be done depending on the company, the clients, and the course.

The personal information is the email address. You have sent personal email addresses to 300 people.

In our organisation this would be a significant breach of personal information.

At the very best case scenario, 300 people are going to get spammed into oblivion as at least 1 of those 300 will have given/sold those 300 email addresses to spammers. They're desperate for genuine/valid/active email addresses to spam/con people.

Have you had data protection and GDPR training at all, OP?

It is personal information! It’s their email address. And you’ve made their interaction with your company known.

You need to let you manager know asap.

In the company I work for you have to report any breaches as soon as possible - I think we are told that if you’re not sure you need to report and I think it’s meant to be within an hour or so of discovering it. Definitely within 24 hours.

We have training on this regularly - have you HAD GDPR training?

OP it's really important you report what happened to your manager and whoever is responsible for GDPR in your company (there's usually a Data Protection Officer in bigger companies).
Taking swift action to rectify the issue is vital.
Minimising it by saying it's only email addresses will make it worse.
I've had breaches in my team before. Tbh, if someone I manage was downplaying the mistake and saying it's just email addresses, I'd be wondering if they were the right person for the job.

it was a mistake. But it sounds like you either haven’t been trained on data protection or you didn’t pay attention.

speak to your manager, own up and apologise. Don’t try to minimise it. Also if you haven’t been trained ask for training. Most companies use short videos followed by a quick test.

I don't think you will be sacked for this but you need to report it to your manager. You have breached the data protection act as they can see each others personal emails, also depending on the course they may not want strangers knowing they took it previously.

You need to report it asap, and put out an email recall. I don't think an email recall does anything except sends half the people to see what was in it to be recalled, but that does seem to be standardly done.
I'd expect you to get a warning, but not more from people I know who have done it. It used to be one of my nightmares at work, but now we've got a system which goes through an address book that means all are automatically bcc. Phew!

I'd suggest when you go to your line manager to tell them, you ask if you can go on a GDPR course. They're actually pretty interesting.

I've had it several times, including from our council cc-ed in all the people they do invoices for and receive invoices from (it was a new invoice system being set up). That one I did cringe at because of the potential impact there - over 500 people. It wasn't even as though they were all business emails; there were a fair number of personal ones too.

People will use something like this to kick you, simply because they can. Own up to your manager ASAP. It was just a mistake, you're human.

You might find this interesting

ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/08/ico-publishes-new-guidance-on-sending-bulk-communications-by-email/

ICO recommends using methods other than bcc for bulk mail as it is a common error to cc instead

Just sending the email address with no other personal information is very unlikely to be a breach of GDPR, you can expect a low level sanction to be a bit more careful in future but in reality it's unlikely anyone could use the info for nefarious purposes. To be sacked for this there would have to be quite a serious impact on the people affected which other than them being a bit annoyed is unlikely.

Mad to think people used to have their phone numbers and home addresses printed in a big yellow book given out to all and sundry in their local area, and no one fell on the ground wailing about what an invasion of privacy it was.

Yes, indeed, mad to think we sent kids up the chimneys and no one said boo about it. Let’s all just go backwards.

I did this once @fershuuu. I worked for a major company. I told my boss as soon as I realised. A few recipients were pissed off, but I wasn't dragged across the coals by my employer.

I’m not saying it would. I said it could… but a data breach of this size, if it happened in local government would need to reported to the ICO.

Yes @Soretoothfairy the yellow pages is definitely comparable to child slavery.

Were you given any training in how to handle personal data and communication with clients?

Op,the issue you have is some folks answering do not understand gdpr or the right to privacy, why people have a right to keep information private and why companies need to protect data. And I’m afraid to say I don’t think you are either.

which means you’ve not been trained properly. Or you didn’t understand it, or you don’t really care so didn’t pay attention.

id inform your company and say it was an error. You tried to recall as soon as you knew. Don’t say things that show you don’t understand . They will have to send an apology email and ask all recipients to destroy the orginal.

From the ICO website:

The Central YMCA sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”, revealing the email addresses to all recipients. 166 individuals could be identified or potentially identified from their email address. As a result, it could be inferred that these individuals were likely to be living with HIV. The Central YMCA have been fined £7,500 and issued a reprimand.

Admittedly this is a slightly more Special Category incident than a training course (depending on the training, obviously).

We had a much worse breach than this a few months ago - personal details shared included full name, address, telephone number and email address of one person with another. Also the fact they were using the service we provide was highly sensitive.

Staff member wasn't sacked as she raised it to me immediately, it was a mistake that anyone could've made (attaching the wrong details in a document) and the ICO were content that we'd addressed the issue adequately (action taken included change of process so the same thing could never physically happen again and an apology to both parties as well as a retraction of the offending email).

Shit happens OP but it's hard to say how your employer will react as we don't know the processes etc in your job. I'd imagine you won't make the same mistake again though!