A distribution list is a feature of email client programs (e.g. MS Outlook) that allow users to maintain a list of email addresses or send messages to everyone in their address book all at once.
Whilst they may save a lot of time and effort, they are a regulatory accident waiting to happen. When they go horribly wrong, it can mean fines and the kind of PR disaster that sees customers leaving in droves.
When email distribution lists go wrong
Disclosing confidential information
A Royal Navy officer at the US Pentagon added a UK-based schoolgirl to a distribution list in error. Diligently she pointed out the mistake to no avail. For six months she received highly confidential military information.
Mistyping the address caused the error, easily done. But the unforgivable mistake was ignoring the response from the recipient. The lessons are two-fold, be careful typing and don't send emails if you have no intention of reading the replies.
When two holidaymakers complained to Spirit Airlines about their flight delay, they were underwhelmed by $200 of compensation. Their email was forwarded to the CEO, who hit 'Reply All' before sending a response:
"Please respond, Pasquale, but we owe him nothing as far as I'm concerned. Let him tell the world how bad we are. He's never flown us before anyway and will be back when we save him a penny."
Luckily for the company, this happened before social media became endemic. Imagine the Twitter storm had the same happened today?
Back in 2015, an unfortunate employee of Reuters accidentally emailed 33,000 of his colleagues. Having realized the mistake, he then compounded it by trying to recall the message. If you are going to make such a blunder, doing it at a news organisation is fatal.
Reuters employees took to Twitter with the hashtag #ReutersReplyAllGate. This approach brought humour to the situation, let's hope it saved the poor soul, and in a way did the world a favour by highlighting the risk.
Bringing NHS communications to a halt
You'd think that people would learn from Reuters? Not necessarily.
In 2016, the NHS secure email system crashed after an IT contractor accidentally sent an email to everyone on NHS England's distribution list, to around 1.2 million people.
Some recipients then hit the 'Reply to All' button to complain, worse still they were requesting 'Read Receipts'. As a result, 186 million emails were sent, bringing communications to a standstill.
Alarmingly, the same email service was used for sharing patient-identifiable and sensitive information.
Top tips for using email distribution lists
1. Question whether a distribution list is appropriate
If you are sending a message regularly, or to a large audience, maybe a distribution list is not the right method of sending?
Email automation software may be cheap or even free to use. By using them, you can avoid the usual logistical and compliance headaches of managing email distribution lists.
If your colleagues may also be contacting the same people they are a 'no-brainer'.
It is worth having your DPO create an email distribution list policy and communicating it to your staff. By giving them training and guidance you can ensure that messages are efficient and compliant.
2. Check who's on the distribution list before hitting send
Sending emails to all recipients is only efficient if they all need to read what it contains. There is a name for those sending frequent, irrelevant or unwanted emails - spammers!
3. Promptly action removal requests
Often staff feel that 'GDPR compliance is marketing's problem'. It's not, it is everyone's responsibility - the regulator will be unmoved by your staff stating 'I don't use the database'.
4. Regularly clean up distribution lists by purging names
Keeping email lists clean is essential, especially when sending information outside of your own organisation.
If you do not, you may keep defunct addresses in your list. Regularly emailing those who have left a company may result in you being blacklisted.
Often blacklists relate to the domain of a sender, meaning all your colleagues get blocked too. Many companies use blacklisting software, and if the list is shared your emails may be blocked across all those using the same software!
5. Prioritise security & confidentiality
The wider you share information, the more likely it will be seen by those not authorised to see it. So, before sending anything via distribution lists, check document classifications first and be clear about who can see it.
6. Don't overshare
Only share information via distribution lists when there is a genuine 'need to know'. Make sure you are absolutely certain that it's relevant to all recipients.
Consider splitting larger lists and creating a 'headline' version of your message for those not needing all of the detail.
7. Write succinctly
If you're writing for a bigger audience, you'll need to do so succinctly, avoiding jargon and colloquialisms so your message is easily understood.
Clarity is particularly important in situations where recipients speak English as a second language.
8. Think before you use file attachments
Not only do they make the size of your message balloon, if sent externally security software may either remove them or worse, just block your message.
Where possible use links or non-editable files (e.g. PDFs). If you use cloud-hosted files, make sure that you only share with named recipients and if you can password protect the files.
9. Avoid requesting read receipts when sending mass emails
As well as causing unnecessarily high volumes of traffic on your network, they come across as passive-aggressive. Ironically, recipients can choose not to confirm they've read your message anyway, so is there any point?
10. Beware 'Reply All' and 'Recall Message'
Sometimes replying to everyone makes sense. If you have a small distribution list, recipients may like to comment. But as the examples above showed, on larger lists, it may create a car crash that goes out of control.
If you accidentally share information you shouldn't, 'Recall Message' is a sensible damage limitation technique. Equally, if your list is small, and there is a mistake then recall may be fine too. But if you have a very large list, be brave, send a short follow-up message to correct the error.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!