How to stop everyday communication from becoming a data breach

Most data breaches do not happen because of hackers. They happen because someone sent an email to the wrong person or shared information in the wrong way. The UK GDPR does not just apply to big systems or databases, it also applies to every message that includes personal data.

If you remember nothing else, remember this: check before you click send.

1. Why everyday communication is risky

Email, messaging platforms, and file-sharing tools are quick, but they make it easy to lose control of data. A single message can include names, addresses, medical details, or opinions that can identify someone specifically. Once it is sent, you cannot always get it back.

Common examples include:

• Sending an email to the wrong contact or group
• Forgetting to use BCC on a bulk message
• Forwarding an attachment with hidden personal data
• Uploading files to unapproved platforms like free cloud storage
• Discussing identifiable cases in a team chat

Even internal messages count as ‘processing’ under GDPR if they contain personal data. This is because the actions of ‘sending, receiving, storing, or reading’ internal messages counts as 'processing’ of personal data.

2. Choosing the right communication tool

Different types of data require different levels of protection.

• Public or general updates can use normal email.
• Sensitive or confidential information should use secure file-sharing tools approved by your organisation.
• Instant messaging or chat apps should be limited to general conversation unless specifically authorised for personal data.

Always check that the person you are sending data to has a legitimate need to see it.

3. Emailing safely

Before sending any message that includes personal data, pause and check three things:

1. Recipient list: Make sure every name is correct and remove anyone who should not see the data.
2. Attachments: Check for hidden information such as comments or tracked changes.
3. Subject line: Avoid including personal information here.

Use encryption or password protection for sensitive attachments. Send the password separately.

When emailing groups, always use BCC to protect addresses. Accidentally exposing an entire mailing list is one of the most common reportable breaches to the ICO.

4. Messaging and collaboration tools

Messaging apps such as Teams, Slack, or WhatsApp make quick collaboration easy but can create risks if used casually.

• Do not share personal data unless the chat is secure and work-related.
• Delete or archive old chat histories regularly if not needed.
• Avoid sharing screenshots that contain names or personal information yours or anyone else’s.
• Make sure shared drives or channels have restricted access.

If your organisation does not allow certain apps, there is usually a reason. Free consumer apps often store data overseas or use it for analytics.

5. File sharing and storage

Transferring files is one of the most common ways data escapes control.

• Use approved company systems such as encrypted file transfer or managed cloud storage.
• Never upload personal data to personal cloud accounts.
• Check that shared links have expiry dates and restricted access.
• Delete old or duplicate versions once the task is complete.

When in doubt, ask your data protection lead which tools are approved.

6. Monday morning takeaways

If you handle personal data:

1. Double-check every recipient before sending.
2. Use BCC for groups and secure file sharing for attachments.
3. Avoid sharing personal data through any chat platform unless authorised.
4. Keep conversations professional and confidential.
5. Report mis-sent emails immediately.

If you manage a team:

1. Provide training on safe email and messaging habits.
2. Set clear rules on which tools can be used.
3. Review access rights to shared drives.
4. Encourage quick reporting of mistakes.

Quick summary

In plain terms

Emails and messages are convenient, but they are also where most data breaches start. Slowing down for ten seconds before sending can save hours of cleanup later. GDPR is not about stopping communication, it is about sending information safely.