When does a company need an email policy?

View as Markdown
3 mins read • Legal Writer • GDPR • 21 August 2025
  1. Handling misdirected emails
  2. Incident reporting for misdirected emails – step by step
  3. Equip staff with the right procedures when sending personal data by email

An email policy is recommended to minimise the risk of mishandling personal data in email. If your organisation regularly processes personal data, particularly special category data, it should have a written policy governing how email may be used. The policy should also clarify roles and responsibilities, and how incidents are handled.

An email policy is an internal document and an important part of data protection compliance under the GDPR. It supports adherence to requirements in, for example, Articles 5 and 32 GDPR, where security and integrity are emphasised. All employees should therefore understand and follow the policy in their day-to-day work.

Handling misdirected emails

A common personal data breach is a misdirected email containing personal data. It is important to act quickly to limit harm and to document the incident correctly. If personal data reaches unauthorised recipients, this may constitute a personal data breach within the meaning of Article 33 GDPR.

  • Contact the recipient: Ask the recipient to delete the email immediately.
  • Record the event: Note what data was sent and to what type of recipient.
  • Assess the risk: Evaluate whether the incident needs to be reported to the Data Protection Agency.
  • Inform the data subject: Consider whether the incident needs to be communicated to the affected individual under Article 34 GDPR.

Clear procedures make incidents easier to manage. They also strengthen your compliance and demonstrate that you take data protection seriously. We recommend reviewing and updating these procedures regularly so they are tailored to your operations.

Incident reporting for misdirected emails – step by step

If a personal data breach occurs, it is crucial to report and document the event promptly. Incident reporting should ensure that you meet your obligations under Article 33 GDPR and can demonstrate accountability. A process for handling personal data breaches reduces the risk of delay.

  • Identify the incident: Make sure all employees know how to recognise an incident.
  • Report internally: Employees must report without delay to the Data Protection Officer, another data protection lead or the responsible manager.
  • Assess severity: Perform an initial risk analysis to determine whether the Data Protection Agency must be informed.
  • Document: Retain all information on what occurred, what measures were taken and lessons learned for the future.

Effective incident reporting provides assurance both internally and externally. It shows that the company controls its processes and works proactively. We recommend providing ongoing staff training on how reporting should be carried out.

Equip staff with the right procedures when sending personal data by email

To reduce the risk of errors, staff need clear instructions on how personal data should be handled in email. This includes both technical and organisational measures, such as encryption and correct use of address fields.

At Morling Consulting, we help you develop an email policy that meets GDPR requirements and strengthens your data protection work. Our GDPR lawyers can also assist with procedures for incident reporting and general GDPR compliance. Our experience with the GDPR enables us to tailor solutions to your business. Do not hesitate to contact us if you would like support implementing or improving your internal processes.

Material Design illustration showing three legal professionals in front of an AI chip, playground and surveillance symbols, representing IMY’s focus areas public AI, children’s privacy and law enforcement.

5 February 2026

IMY’s priorities for 2026 – what do they mean for your organisation?
Read more
Illustration of a startup GDPR compliance briefing, with team members reviewing a security checklist and data protection policy on a screen.

4 February 2026

GDPR in your start-up – how to build assurance and compliance
Read more
Anonymous lawyer in a suit presses a digital whistleblowing button inside a protective sphere, symbolising secure whistleblowing systems, employee privacy and internal controls under the AMLR.

3 February 2026

AMLR Articles 13–15: employee integrity, whistleblowing and internal control
Read more