Contact us: +45 32 67 26 26

Personal Data By E-mail – The Biggest Reason For Security Breaches

Sajerathan Vincent
By: Sajerathan Vincent Cyber Security,GDPR | 29 November

We exchange e-mails with clients, business partners, colleagues, and friends. Because of this, a lot of data is going back and forth. This creates the risk of personal data being sent to the wrong recipients. All it takes is one unfocused moment and a single click. Unfortunately, this is simply classified as a security breach because it concerns personal data. Here is what your organisation should know when it comes to personal data and e-mails.

Most security breaches happen through outgoing e-mails

On average, we send and receive more than 100 e-mails per day – both private and work-related. Some of these e-mails contain personal data, and that is why security breaches occur because of human error.  

The greatest risk with outgoing e-mails is accidentally sending personal data to the wrong person, which results in a security breach. When it comes to incoming e-mails, the greatest risk comes from not ensuring that old e-mails that contain personal data are removed on a regular basis also known as data minimisation.

But what exactly is a security breach when it comes to the GDPR? Simply put, when someone who should not have access to somebody else’s personal data, gets access, it is a considered a security breach according to the GDPR. For example, if you by accidenclick reply all instead of just responding to the sender, then you are sending personal data to the unintended recipients as well.  

Other situations include: 

  • Attaching the wrong files to the e-mail

  • Typing error when writing recipient of e-mail

  • Picking the wrong person from your contacts because similar names

Knowing how organisations most often break the GDPR, can help you prevent making the same mistakes. 

If we break this all down, we realise that these things happen when we act too quickly and forget to pay attention. Eventually, we all make these types of mistakes at some point – we cannot expect people to be 100% aware all the time. Still, the risk can be greatly reduced if we slow down and pay extra attention when we press ‘send’. 

Take our free course in e-mails and personal data, to find out if you, and the rest of your team, knows how to treat personal data when sending and receiving e-mails. 

What is personal data


Delayed sending and data minimisation

Generally, it is wise to remind your team to go over the email text and recipient one more time before pressing ‘send’For instance, we can all think about the following questions:  

  • Did I perform a security check?

  • Am I sending the e-mail to the right person?

  • Does the email contain personal data?

  • Should I share the information with all the recipients?

  • Did I attach the right files?

Additionally, you can also get your e-mail service to delay the sending of e-mails for you. This means that before the e-mail is sent, it will leave a couple of seconds open for cancelling. This gives you a chance to avoid sending an e-mail which could have triggered a security breach. It may sound weird, but this actually helps. It is often in the moment where you have pressed send that you think “Oh, did I attach the right file?”. Then you can stop the e-mail and check it before pressing send again. If your mail server can be configured for delayed sending, make sure to let your team know to ask a colleague or the people responsible for IT for help. 


When you receive personal data that was not meant for you

We are not in control of what others send us with e-mail. However, we are liable for how we deal with an e-mail that contains personal data. First, you need to immediately inform the sender that this could be a security breach. Additionally, the person whose personal data is exposed needs to be informed as well. You should also delete the data from your system.  

When it comes to data minimisation, it implies that you do not process personal data longer than required. Be aware that while this is theoretically only seen as an old email in your mail account, in practice, you are processing personal data if you can access it. It is good practise to set up guidelines for data minimisation, but in case your organisation does not have themit is best to consistently delete old emails which do not make sense to keep. In this way, you help to secure your own personal data and that of other people. It is also a good idea to set yourself a reminder in your work calendar to delete old e-mails. Your email inbox should not be a storage room for personal data. If you need to keep the data in your e-mails, then you should save it somewhere more appropriate.  

A woman trying free awareness courses on her computer

In this blog, we discussed how sending personal data to the wrong person is considered a security breach according to the GDPR. Although you can delay the sending of e-mail and to perform data minimisation as possible solutions, it is always better to have the awareness from the start. Finally, if you have received personal data that was not meant for you, you should delete the e-mail, inform the sender, and the person whose data was leaked.

It's important that your employees know what to be aware of when sending e-mails. To make staff members aware while reducing your biggest security risk we at CyberPilot, offer training in the safe handling of personal data.