GDPR Insights: E-mail Compliance

Watch who you send e-mails to!

Have you ever accidentally sent an email to the wrong person?  It’s easily done, especially if you have a few similar names in your address book, and you don’t notice when AutoComplete picks the wrong one.  At best, it’s just a little embarrassing requesting an email recall or asking the recipient to delete it, but if the e-mail contained sensitive corporate or personal customer data, you could be dealing with a damaging data breach.

The ICO reported a 46% increase in the number of reported data breach incidents caused by incorrectly addressed e-mails between April and June 2017, whilst market research found that 46% of people surveyed had received information intended for somebody else.

The impact of GDPR on e-mail

GDPR changes organisations obligations when handling, processing, sharing and retaining data, and significantly, any breach that puts sensitive data at risk must be reported to the ICO within 72 hours if an individual’s rights and freedoms may have been compromised.

E-mail remains the most popular business communication tool with an estimated 281 billion e-mails sent every day between 3.8 billion users, and data is often most vulnerable at the point it is being shared.  Every organisation that sends personal data by e-mail needs to consider what measures are needed to ensure compliance with the GDPR, particularly around the following GDPR articles:

Article 15 – Right of access by the data subject
Article 17 – Right to erasure (‘right to be forgotten’)
Article 18 – Right to restriction of processing
Article 19 – Notification obligation regarding rectification, restriction or erasure
Article 32 – Security of processing
Article 33 – Notification of a personal data breach to the supervisory authority
Article 34 – Communication of a personal data breach to the data subject

Organisations also need to consider which tools might be required to control data after it has been shared, understand where data is held and how data has been accessed at any time.

Prevention is always the best policy

GDPR requires appropriate organisational and technical measures to be implemented in order to protect data.  Businesses will need to demonstrate that they have the necessary technology and training in place to protect shared information.

E-mail encryption is recommended by the ICO as one of the methods that should be used to prevent a data breach, but encryption should be applied automatically to personal data so that human error doesn’t leave data unprotected.

Retain control of data at all times

Under GDPR, individuals can request restrictions around how their data is processed, and can also request that their data is deleted.  In addition, organisations are obligated to ensure all third parties they have shared applicable data with also comply with these requests.

In order to comply with these requirements, organisations will need to restrict access and processing, such as downloading and copying, whilst retaining control over data even after it has been shared.  In addition, access to shared data may need to be revoked in the future.

Auditing and Tracking data across e-mails

Under GDPR, organisations must notify the ICO of a data breach within 72 hours if an individual’s rights and freedoms have been compromised.  Details of the cause, scale and anticipated impact must be provided.

Individuals will be able to investigate how their data is being handled and processed, and will be able to make a subject access request to find out which of their personal information is held by an organisation.  In addition, they will be able to find out whether any personal data is being processed, and whether it has been shared with other organisations.

Businesses will need to be able to meet reporting obligations and requests promptly, and efficiently.  This could be challenging where personal data has been shared with third parties, and resides within e-mails.

Recommendations

GDPR presents an opportunity for organisations to not only handle personal data responsibly and securely, but also be able to recognise the importance of ensuring the measures taken to protect personal data can also be applied to corporate data, such as intellectual property, financial reports, contracts and business strategy documents.  Data can be leaked intentionally as well as accidentally, and recent research showed that 20% of people have intentionally shared their organisations sensitive data with a range of recipients, including competitors, future and previous employers, friends, family and the press.

Fortunately there are secure e-mail solutions that can ensure every e-mail reaches only the intended recipient, personal data is always encrypted, control of personal data is always retained even when shared with third parties, and can provide full tracking and auditing capabilities that enable the generation of exportable compliance reports.

Speak to J2 Technology today about e-mail security and how it can help with GDPR.