You'd think a department holding data on 28 million children would treat it like gold dust. Instead, the Department of Education (DfE) handed access to a company that then used it for online gambling. Yes, really.

According to the ICO, between 2018 and 2020, one company with no legitimate reason to access the Learning Records Service (LRS) database somehow got its hands on it. This database contains names, birth dates, genders, email addresses and educational achievements of UK children aged 14 and up.

What's worse? The LRS database was made available to over 12,600 organisations. When the ICO stepped in, the DfE promptly removed access from 2,600 of them – around 20%. That's one in five who arguably shouldn't have had access in the first place.

The kicker? The DfE escaped a multi-million pound fine on a technicality – because the fine would've just gone from one department to another.

What's this got to do with email marketing? Quite a bit, actually.

If a massive government body can fail to audit who has access to sensitive data, what hope do the rest of us, in email marketing, have? Fortunately, we don't need to audit 12,000 partners – we just need to ensure our systems, partners and sign-up processes are watertight.

Let's break it down.

• Data minimisation matters. If you're collecting data you don't absolutely need, ask yourself why. The DfE didn't need email addresses or nationality fields – and look where that got them.
• Third-party access is a risk. Whether it's a freelancer, agency, or platform, make sure anyone handling your mailing lists has the right permissions and GDPR training.
• Audit your access. If the DfE had done that, they wouldn't have been humiliated by the ICO – and we wouldn't be writing about them.

The ICO's quote is damning:

"By granting LRS database access to [the copmany], the DfE failed in its obligations to use and share children's data fairly, lawfully and transparently."

Swap "children's data" with "subscriber's data" and you've got a GDPR case study ready to be pinned to your office wall.

Two key lessons for email marketers

1. Review your processes – regularly. It's not enough to be GDPR-compliant once. If you're using legacy tools or haven't reviewed who has access in months (or years), you're overdue.
2. You won't get the government treatment. The ICO won't wave off a £10k fine just because you're not a government department. They expect you to get it right.

Yes, one mistake out of 12,600 organisations sounds like a fluke. But the moment you become complacent, you make yourself a target – and GDPR doesn't do sympathy.

So, review those systems. Audit those access logs. Because "we didn't realise" is about as effective a defence as "the dog ate my privacy policy".