The ICO has issued a warning to organisations over the use of BCC to send emails to multiple recipients, and offers some new helpful guidance. It comes against the backdrop of almost 1,000 BCC data breaches reported to the ICO (and presumably many more than were not reported),
Mihaela Jembei, ICO Director of Regulatory Cyber, said:
“Failure to use BCC correctly in emails is one of the top data breaches reported to us every year – and these breaches can cause real harm, especially where sensitive personal information is involved.
“While BCC can be a useful function, it’s not enough on its own to properly protect people’s personal information. We’re asking organisations to assess the nature of the information and the potential security risks when deciding on the best method to communicate with staff or customers. If organisations are sending any sensitive personal information electronically, they should use alternatives to BCC, such as bulk email services, mail merge, or secure data transfer services.
“This new guidance is part of our commitment to help organisations get email security right. However, where we see negligent behaviour that puts people at risk of harm, we will not hesitate to use the full suite of enforcement tools available to us.”
https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/08/ico-publishes-new-guidance-on-sending-bulk-communications-by-email/
The new update guidance can be found at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/ and emphasizes that any use of BCC must be supported by a proper assessment of the risk (a DPIA is perfect for this), appropriate training and regular review, and all this is underpinned by using technology in the most effective way.
If you would like some help in putting together a BCC policy and procedure for your organisation, just get in touch.