Can I loose my job for breaching data protection?

[fershuuu]

So I work for a company and we provide online learning courses.
Thursday I emailed 300 previous clients asking if they want to take part in another course.
I cc them all in by mistake so they all can see each others emails.
I've had a few emails back from them asking to speak with my manager as everyone can see everyone's email address and saying I've breached data protection.

Can I be sacked for this

It is abundantly clear from this comment that you have not received enough training in GDPR.

As a data protection officer I would say it’s not a hanging offence. If it was me I would send an official letter to all concerned expressing how sorry we are and promise additional training to resolve this. It’s a minor human error, it’s not like you’ve sent them medical history or criminal records - it’s only an email address.
do you have a mechanism to recall the email?

Recall only works within the same email network, so if the email had been sent to a group of OPs colleagues. It's completely ineffective otherwise.

To answer your question OP (I work in data protection), this is highly unlikely to be a sackable offence, unless your company is particularly anal about this sort of thing. More likely, they'll issue an apology to all affected parties and ask you to sit some extra training.

Depends on the situation. I have applied for a job, and received further info about the interview in which all those being interviewed were cc'd. So you knew who you were up against. Big fucking breech for many reasons.

To be clear, it is a breach of GDPR. The email address is the personal information. However, I would agree that it probably isn't a particularly serious one.

A police officer accidentally sent my email address to the accused person in a crime I was victim of. I complained but they didn't seem bothered, and just said they would try and make sure it didn't happen again. So the police don't think sharing an email address is a serious GDPR breach

Where I work it wouldn't automatically be a sackable offence, but it would trigger a disciplinary process. The sooner you alert your data protection officer, or similar dara manager, manager, HR etc, the better it'll be for you. Don't try and cover up what you have done.

Are they all business email addresses? Assuming they are, I wouldn't give it a thought, and leave the worrying to the pedants

Where I work you would need to inform the Data Protection officer as soon as you realise, they will tell you what steps to take to mitigate the breach. The DPO will decide whether to inform the ICO.
It's not automatically a disciplinary matter as they don't want staff to be afraid to report breaches. They will then look at what your training was and whether it needs to be updated or repeated and the processes to try to stop it happening again

How serious this breach is would depend what the context is, what the email about, what it revealed about the recipients and whether there was any actual risk on the recipients having each others email addresses

We certainly wouldn't sack for this unless it was deliberate or the person had done it many times before

Exactly. I work as a volunteer for a charity and we all have to do GDPR training every year.

When did you last do any GDPR training OP?

Do you work in an administrative setting?

I agree it’s not serious mistake 1 but it’s a mistake and burying your head in the sand is an immature and unprofessional response.

https://www.databreachlaw.org.uk/data-breach-compensation/is-sharing-an-email-address-a-breach-of-gdpr#:~:text=Damages%20For%20Sharing%20An%20Email,material%20and%20non%2Dmaterial%20losses.

If you think this is pedantry you really don't understand a company's obligations under the GDPR.

Your company should be investigating in a proper CRM system with email and not be mailing 300 people at a time as the address can be blacklisted as a spammer. I would have refused to do this mailing in the first place, they should have a data control officer (all companies that employ more than 12, I think) who will know it’s not best practice. It’s not your fault if you weren’t trained properly.

Having said that, my gym (a major chain) once sent my address to everyone in the same city and I hit the roof. It’s only because I knew the poor zero hour contract PT who sent it might lose their position that I didn’t take it to the ombudsman.

It really isn’t that serious. Compare it with the YMCA data breach where email addresses were not bcc’d in a communication to service users of a specific charity involving therapy for a stigmatised incurable STD. That’s caused a risk to the rights and freedoms of those service users.

i can’t see what risk you’ve caused with an admin oversight and the ICO would not be interested

@fershuuu are you able to say the nature of the email?

Well, some people did. That's exactly why you could apply to be ex-directory.

Have you told your manager? You need to asap if you haven't otherwise it's making it worse.

The fact that you've said this makes me think you don't have a clue about DPA / GDPR
Yes you could be sacked depending on your company policy. It would be a huge breach anywhere I've ever worked.

But they would have volunteered their information. The recipients of the OPs email did not

simply recall the email

It would be a breach you needed to report to your DPO but whether it would be a serious breach would depend hugely on the context.

And certainly (as someone who was a DPO in a big organisation ) it is very unlikely someone would lose their job over this unless it was very sensitive data and even then I would see this more as an organisational failure than an individual failure - there should have been a better process for communications

And the ICO would expect the focus to be on system changes rather than expecting employees to never make mistakes

There was always an option to be ex directory or not be shown in the phonebook. It's hardly comparable.

Oh dear😂.