GDPR breach- I cocked up!

[duckme]

I work in school admin and our school is in the process of getting ready to open on the 1st June. Part of the process is to contact parents of the children in the specific year groups and ask them to complete a survey for us. The IT department have sent the survey out through our app and Facebook page. Both of these require the parents to have registered and a lot of our parents haven't. I was asked by the headteacher to email the parents we hold email addresses for. Our MIS system is capable of communicating via email but our trust has not set this up so I had to copy and paste each email address. I was doing this from home, on a tablet with a two year old running around (my husband had to hold him still whilst I sent the email) and I don't generally work fridays but knew the deadline for the responses was 5pm so I sent the email asking parents to complete the survey by clicking the attached link.
I didn't BCC it! I know I should have, it never even occurred to me at the time though! I reported the breach to the headteacher immediately and was told to wait to see if anyone complains.
I checked this morning and a parent had emailed me to say 'a huge well done for the GDPR breach'.
I feel sick. There was no personal information included in the email other than addresses. The parent in question doesn't have her name in the email address so it doesn't give away her identity, but others probably do use their names.
The parent has said she will be requesting a SAR.
How screwed am I?

@bluefoxmug
I would have much preferred the school provide me with a laptop to use at home instead of having to use the most infuriating tablet ever!

you aren't the first and you won't be the last to do this - I've had it done to me by big organisations.

it is a breach, yes, and it does expose people to spam, and it shouldn't happen - but it isn't as if you sent bank details and home addresses round. Procedures should be followed, and yes it should be flagged up to make sure all concerned are aware. But if they sack you for this they are nuts.

public sector.
imo it's really bad to let anyone work with such sensitive data without appropriate soft&hardware.

op I hope for you that this will not have further consequences and that your boss will help avoid such issues in the future.

I think your head teacher didn't advice you very well.
It would have been better to see if you could retrieve the email - you can do this with some email accounts.
Head could have also helped you with writing an apology to everyone - efficient communication and acknowledgment of error often reduces the negative backlash.

Here's what the ICO says about working from home ico.org.uk/for-organisations/working-from-home/

You have addressed it as best you can. Your employer should take some responsibility for putting you in a tricky position.
A SAR achieves nothing for the parent but of course they can do it if they want.
An apology and tightening up you systems/processes will avoid it happening again.

It is about what is done to stop a repeat.

Your GDPR policy should have been revisited in view of covid and interaction with new providers and staff taking on new roles.

It was an error that should not have been able to happen if the policy had been reviewed. Your GDPR officer should have assessed the risk and either changed procedure or have a warning/ reminder in place. But it was an error.

The amount of SARs have shot up in lockdown and school will judge if it is a reasonable request. The whole issue is action to stop a repeat. This may be all that is needed.