Sending Bulk Emails and the UK GDPR – The ICO Issues Guidance With Words Of Warning

Many businesses regularly send out bulk emails. For example, email promotions to multiple customers on a CRM system at one time. However, sending bulk emails come with risks. The UK ICO (the data protection regulator) has recently published new guidance on sending bulk emails and the legal rules to follow. In this article, we’ll cover the key issues for organisations to note from the guidance.

Sending Bulk Emails – The Risks

Sending emails in general is not the most secure means of communication, so caution should always be taken. Remember that an email address often contains personal data (such as names) – therefore, the UK GDPR rules will apply, and you will need to safeguard that data and keep it secure.

Although a common practice, sending bulk emails comes with several risks. Using the blind copy ‘BCC’ email function means you can send one email to multiple individuals all at one time. However, a lot of companies get this wrong and doing so can result in serious personal data breaches.

A data breach from sending bulk emails could happen to anyone.

Imagine a scenario:

• You are writing an email about your company’s latest promotion, and you want it to send it to your consumer customer list.
• You are in a rush to get out of the office, so rather than send individual emails you simply copy and paste several email addresses from your customer list and decide to send the email out in bulk to save time.
• Because you’re in such a rush, you accidentally end up clicking ‘CC’ rather than ‘BCC’ and hit send.
• As a result, this bulk email has accidentally revealed a huge number of personal email addresses and your customer list.
• Even though an innocent mistake, this would be a personal data breach which may be reportable to the UK ICO. Your business could be in trouble, and you may also find you get complaints from your loyal customers, who can see that their emails and personal data have been disclosed to others. Your questions might question how far your company takes data security seriously and lose trust in you.

Unfortunately, this type of human error happens regularly and can cause serious data breaches. In fact, the ICO has noted it has seen hundreds of personal data breach reports because of senders using the ‘BCC’ email field incorrectly.

Mihaela Jembei, the ICO Director of Regulatory Cyber, noted the importance of this issue in the ICO’s recent blog post, stating:

'Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved

'While BCC can be a useful function, it's not enough on its own to properly protect people's personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.

'This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.'

Organisations should note this warning from the ICO.

The ICO’s Guidance On Bulk Emails

It’s vital that businesses remember that rules apply when sending bulk emails and review the ICO’s guidance, available here.

The ICO has specifically set out what you ‘must’, ‘should’ and ‘could’ do when sending emails. This is helpful to pinpoint what the ICO sees as mandatory and as best practice.

Here are some key issues highlighted in the guidance:

Have Data Security Measures In Place

• Organisations must check what technical and organisational security measures are necessary when sending emails to multiple recipients. As part of this assessment, organisations should consider if mail merge services are more appropriate than using a ‘BCC’ function.

• If sending sensitive or confidential information in the email, consider extra security measures or alternatives to sending emails. The ICO clarifies that what is sensitive information depends on the context and what impact a data breach would have on individuals (e.g. financial data would be sensitive if a data breach could result in identity fraud). Sensitive information could also include special category data – see further information about this below.

Practical suggestions from the ICO include:

• Setting email rules to get alerts and warn senders when the CC field is being used.
• Setting a delay on emails to allow you to correct any errors before the emails are sent.
• Turning off the auto-complete email function, to prevent your emails system suggesting email addresses to send the email to.

When using a third-party service provider to send emails on their behalf, organisations must ensure that they follow data security requirements when sending out emails.

Train Staff

• Staff should be trained about security measures when sending emails to multiple recipients. Staff training can reduce the human error risk. Organisations should also have a data breach reporting procedure in place and encourage staff to report breaches.

The ICO suggests that staff training could cover:

• Guidance to staff on when it’s appropriate to send bulk emails.
• Best practice on secure alternatives to sending emails.
• How to recall emails which are sent in error.

In addition, the ICO notes that organisations should review their relevant policies and guidance on a regular basis.

Other Considerations

• Organisations could consider sending emails out one at a time to a small group, as opposed to sending one bulk email.

• The ICO notes that organisations should minimise the amount of personal data sent in emails. If bulk emails involve special category personal data, the organisation must consider using other secure methods e.g. mail merge or secure data transfer services.

Special category data is treated as particularly sensitive and therefore extra measures need to be put in place to protect it.

Special category data means:

• Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
• Data concerning health or a natural person's sex life or sexual orientation.
• Genetic or biometric data processed for the purpose of uniquely identifying a natural person.

The ICO takes the security of email communications very seriously. In August 2023, the ICO reprimanded two organisations in Northern Ireland (the Patient and Client Council and the Executive Office) for the inappropriate disclosure of personal data via email.

Both reprimands resulted from breaching arising from using incorrect group email selections.

The Information Commissioner John Edwards noted the seriousness of this issue, stating

This type of data breach is all too common but is easily avoidable. Organisations must take responsibility for training their staff properly and for putting appropriate systems and policies in place to avoid such incidents.

See the ICO’s blog post about this here.

Summary

Many businesses send out bulk emails, sometimes very often. This results in a lot of data breaches. When sending out bulk emails, always remember to comply with the UK GDPR rules and ensure personal data is protected.

The ICO’s new guidance should be considered and implemented when sending out bulk emails. Following the ICO’s guidance can help organisations prevent personal data breaches and complaints from customers. Consider training staff and implementing policies around the rules for sending email communications (particularly bulk emails). Technical rules and restrictions around emails may also be extremely useful to prevent data breaches. In the worst case where data breaches occur, staff should be encouraged to report them promptly so organisations can take any necessary actions and comply with their obligations under the UK GDPR.

Please contact our team if you would like advice on the ICO’s guidance or data protection law compliance.