We’ve all been there. With one click of the “send” button, the dread can wash over you sooner than you can say “recall”. This was the case for an intern at US TV production company, HBO Max, who earlier this month sent an internal test email to just a couple of million of their mailing list subscribers. HBO tweeted a light-hearted apology to their followers which, in an unusual turn for Twitter, resulted in a fairly supportive and encouraging thread of comments from those who had made a similar gaffe.
One user posted that she had created a diagram of her colleagues matched to the character from The Muppets whom they reminded her of most. This was, of course, intended only for a friend’s viewing so you can imagine her horror when she actually sent it round her colleagues, Bert and Ernie included.
Another female employee had inadvertently shared her private calendar of that monthly event with her entire company, whilst a legal intern admitted to submitting a paper to the court which referred to “the panties” instead of “the parties” throughout.
Luckily for these employees their mistakes were pretty minor, if a little humiliating. But what happens when someone’s email error can’t just be laughed off? For example, had the HBO intern shared the email addresses of all recipients publicly, the company would have a significant data protection issue on its hands. Under the UK GDPR, a breach has to be notified to the ICO when it is likely to result in a risk to individuals' rights and freedoms (Article 33(1), UK GDPR and section 67(1), Data Protection Act 2018 (DPA) and further has to be notified to the affected data subjects when it is likely to result in a high risk to their rights and freedoms (Article 34(1), UK GDPR). In both cases, the responsibility to report the breach falls to the data controller. This could lead to financial liability if the ICO imposes a penalty in respect of the breach, or reputational damage if the data subjects express their dissatisfaction in a public way.
For the individual concerned, serious breaches could result in disciplinary action up to and including dismissal, particularly where a joke that was intended to be private gets into the wrong hands and could objectively be viewed as discriminatory or otherwise offensive. Employers should have clear policies on the appropriate use of its IT systems which should make employees aware of the potential consequences of non-compliance. If the employer considers data breaches to be a serious disciplinary offence, the policy should state that. However, in most cases, the employee’s mortification will likely be punishment enough.