Received email not meant for me - GDPR?

[ThatCurlyGirl]

Eek I've received a whole email thread not meant for me.

It's from my accountant but they've sent it to me by mistake as first letter of my name is the same of the recipient he meant to send to.

I read it because we are going back and forth on a similar topic at the moment so initially assumed it was for me.

Usually I'd just let him know and delete but in the thread the other client (that is was meant for) is arranging a repayment plan as a close family member has recently died - it mentions this in detail and specific financial information too.

I have had to do a similar plan and also disclose medical information to agree a repayment plan since my accident and would be cross if my information was shared with another client of theirs.

Especially because we are in a small industry and while I would never dream of mentioning the details to other people IRL, I would be gutted if it had been sent to someone gossipy who then disclosed info to other people.

I don't really know what I'm asking - should I let the accountant know and leave it there? Is this a breach of GDPR? If the other client is struggling with money already would she have any claim to help her out if they were found to have breached GDPR?

Not really sure what I'm asking - I guess whether I should do anything or just delete and leave it completely?

I've seen one of these threads before about a solicitor's and someone said their firm didn't allow email systems to 'hold' email address to help avoid this. So you wouldn't get 'Bobby Smith' coming up as an option when wanting to email 'Bernard Smith'. Sounds like a sensible approach to me.

its a difficult one really, how would the authorities know if a firms processes were poor if everyone just deleted it and only told the firm in question.Saying that if it is a one off, and these things can happen, then it seems a bit harsh to report them.
Not sure what you should do really.

@ishouldbedoingsomework would I "like" to be reported? No, but I would understand and willing to face the consequences? (Of which there wouldn't really be any in this small case) yes of course, I'm not a child.

You're right to be concerned. A lot of this happens due to predictive email address auto-fill when you're sending an email.

I once sent a 'how much money do you drink quiz to a Mary in the US (Head of Compliance ) which was intended for Mary at the desk behind me.
I spent about 48 hours in the horrors waiting to be fired.

I'd just highlight it to them.
Under GDPR they are legally obliged to inform the person that their data has been breached. Whether they do or don't is no skin off your nose, but I think the auto-fill of email addresses is a massive accident waiting to happen.

I've seen my Director send separate emails twice to John Smyth in our company, but sent it to John Smyth externally. Twice lol. Both times external John Smyth said 'I don't think this was intended for me'. Director was like 'apologies, meant for John Smyth beside me'.

I've received emails and wondered WTF? 'I'd like to catch up with you for an hour to discuss the blah blah blah presentation'. I was sat there baffled going 'What? What presentation? I'm not working on a presentation? then noticed the company name it was coming from and again replied, 'I think you've sent this to me in error'.

They're legally obliged to report a breach. I get the most mundane stray emails.

Actually got one from the council a few months ago requesting further information, followed by an email to say 'apologies, ignore, not meant for you'.

They wouldn't need to report this to the ICO, it's not a severe enough incident, all they would do is record it (as you need to record all breaches and decide which need forwarding to the ICO). Honestly this isn't dobbing anyone in, it just informs them to tighten up their practices and ensure nothing bigger happens, you'd be doing everyone a favour.

Oh ffs just let them know and delete it. What’s all the atongising for? Mistakes happen, it’s clear this is one. Accountant should make intended recipient aware of the breach under GDPR.

They have to report all breaches, to the 'victim' of the breach.

Yes sorry to the victim (victim sounds so serious ha) I thought you meant ICO.

If it detailed someone's finances, it is a data breach.

Well it's a matter for their DPO to decide, either way OP has done the right thing and doesn't need to feel like she's dobbing anyone in for a "genuine error" which is all I'm bothered by.

How odd, this has also happened to me today except I'm the one whose details have been shared. It is obvious it's a genuine mistake as my email address was typed incorrectly. I alerted the account manager and they are addressing it with the sender plus also looking to ensure that their processes are improved to prevent any further issues. I don't really think my details are of interest to anyone tbh and I presume the person who received it will likely just delete it. I don't really feel there's any point in taking further action. If anything does come of it I've got proof it happened.

'Let's catch up on the Xyz presentation' Not a data breach

'We've run through your financial breakdown and you need to repay x amount per month' Data breach

I've been on both sides of this. When I receive something in error I let the sender know and then deleted. I really hope that I would get the same treatment in return. Mistakes happen and the consequences of reporting a GDPR breach can be huge.

Something similar happened to me once, a thread of emails that involved very sensitive information about a woman who had been murdered was sent to me by mistake. I didn’t know the people who had sent it, I think the intended recipient had a very similar email address to mine. The email included information about the victim, her family, friends and where she had lived and the funeral and inquest arrangements. I just emailed them back and made them aware of it, and stated that I would be deleting the email.

a mistake like that would be gross misconduct at my work and instant dismissal.

I sent an email in error (had no implications was within the same company), I retracted email, apologised, someone escalated to a manager who was awful to me. Totally overreacted according to the nice IT lead.
I cried for days, so don't report it imo!

They've sent an apology to the intended recipient saying they sent it to her other email by mistake. But have sent it to me again! It was addressed to my full email address and was a single line for her attention, saying apologies we sent to your other email by mistake, I haven't read anything past that.

I'm honestly not trying to make something of nothing - some people have said it's a data breach thing and they'd feel obliged to report while others have said along the lines 'fgs just delete it and move on' etc.

Anyway, I've again deleted and just told them they've sent the follow up email to the wrong email address again and have asked them politely to double check anything for me hasn't gone to the wrong person too.

Thanks again for your help.

Ps also it's the company owner who made the error so nobody in the company will be getting a bollocking for what I understand is genuine human error.

social worker once meant to email some reports to her own personal address and sent them to me instead.

She shouldn't have been sending them to her personal email anyway. We would be lynched at work if we did that.

I regularly receive emails for someone with a very similar email address to mine. They work in a very sensitive role and I’ve had lots of shockingly confidential stuff come through, often about very vulnerable people. I have contacted various people about this including her place of work but it still keeps happening.

It is a breach of GDPR but mistakes happen. Let your accountant know and leave it at that. It is up to them to report it as a breach if they choose to do so. I wouldn't report it myself because what would it achieve apart from a load of heartache for people?

They've sent an apology to the intended recipient saying they sent it to her other email by mistake. But have sent it to me again

PMSL Fucking hell. Are they asleep?

Is it an accountant or admin sending these?

Once, fair enough, twice, fuck me!

As I said, it seems the more senior they are the more careless they are. An admin wouldn't do it as it would cost them their job (e.g. me sending a how much do you drink quiz to the Head of Compliance in the US - didn't lose job - hopefully Mary was fond of the drink herself - but way prior to GDPR).