The Right Tools for the Job
Following a number of significant data breaches, the ICO has updated their guidance to discourage the use of BCC where possible, and instead to promote the use of appropriate email management systems, and processes which guarantee the separation of recipient data, such as using mail-merge features in the Microsoft Office suite.
https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/email-and-security/
The ICO guidance was updated after breaches involving:
- NHS Highland - https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/03/ico-calls-for-highest-standards-in-hiv-services-after-nhs-highland-reprimand/
- Northern Ireland Patient and Client Council - https://ico.org.uk/action-weve-taken/enforcement/the-patient-and-client-council/
- Northern Ireland Executive Office - https://ico.org.uk/action-weve-taken/enforcement/executive-office/
- The Ministry of Defence - https://ico.org.uk/action-weve-taken/enforcement/ministry-of-defence-1/
If you are using an appropriate bulk email management system, either as a standalone platform, or connected to a CRM platform, you should find it easy to avoid the BCC risks.
If you are a smaller organisation, working with manually updated mailing lists on spreadsheets or other documents, you can find many tutorials online to help you use the mail-merge functions that are available in Microsoft Office or Google Docs: