The GDPR Email Requirements
If one was to conduct a search in the GDPR for the GDPR email requirements, not many references are to be found to email. There are requirements under GDPR to keep personal data safe and secure, to retain data only for a limited period and purpose. Often when emails are considered in the data protection domain the key focus area is around email direct marketing and there is guidance around obtaining consent from the data subject (individual) and recording that consent when carrying out direct marketing. Email marketing is also governed by the ePrivacy directive another European privacy directive, that ePrivacy directive will be replaced eventually by a revised ePrivacy regulation.
A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients the language that is used most consistently throughout the GDPR is “natural person” or ‘’data subject’’ and. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article data subjects or end clients or customers will be referred to as ‘’data subjects’’
The term ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 4 of GDPR contains a full list of definitions.
Technical and Organisational Measures
Technical and Organisational measures are a core concept of the GDPR law, Article 28(1) of GDPR states “ Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject”. This article 28 governs the data Controller/data Processor relationship however equally the Controller would have responsibility for implementing such measures to protect the rights of the data subject. This is relevant for email use and companies and organisations must have policies and guidelines in place to keep data safe and secure and ensure privacy in email communications, this may include the encryption of email communication and email servers which may hold vast amounts of personal data.
Where mobile and Bring Your Own Device(BYOD) usage are in place the organisation should have an acceptable use policy in place and add a layer of encryption to devices, the organisation should have a mobile device management system enabling it to wipe devices where device loss or theft is reported by employees. Organisations should implement firewalls, intrusion detection, perform penetration testing, deliver threat recognition training for employees and implement all other data security measures possible.
Article 5(e) of GDPR states personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”, This is relevant for email use as emails can contain personal data so an email retention strategy should be included in the retention policy of companies and organisations.
Unauthorised disclosure is a major cause of data breaches and often linked to email communications where an unauthorised data subject is sent personal data in error, or a group of data subjects are emailed with email addresses in the TO or CC field instead of the blind carbon copy or BCC field. Companies and Organisations need to develop guidance and internal IT system alerts when emails are being sent to large groups or containing sensitive personal data, especially when the recipients are external to the Company or Organisation.
Newsletter mailings and e-mail marketing are a fixed part of the online marketing universe. Essentially, the principle being that processing personal data for marketing is prohibited without consent of the data subject. Processing is only allowed by the General Data Protection Regulation (GDPR) if either the data subject has consented, or there is another legal basis. Another EU legislation the ePrivacy directive is also relevant for email marketing.
When Marketing by e-mail to end user customers (data subjects) typically consent will be required although there are some exceptions for Business to Business e-mails where typically an Opt-out applies. There is also one exception to consent for end user customers. In the context of a sale marketing can be a legitimate interest where a company sold a similar product in the past 12 months and the end user customer was given the option to opt-out but did not take it, this is called the Soft opt in. In the case of the Soft opt in and indeed any email marketing the customer must have the option to opt out on each subsequent communication.
The GDPR brings extra requirements around accountability and record keeping a company or organisation must track consents and be able to demonstrate consent was obtained fair and lawful manner.
GDPR Email Requirements for Employers
Employers – or, more accurately, their HR Departments – may receive much more personal data about their employees than they do about the business´s customers. Therefore, should an employee´s personal data be disclosed, there is a possibility the employee could suffer social, economic, legal or other harm (such as identity theft). There may also be a likelihood the employer could suffer a loss of reputation or financial harm if there were concerns about privacy and confidentiality.
To mitigate the risk of an unauthorized disclosure of personal data, employers should review what employee data they currently retain and make whatever organizational and technological changes are necessary in order to ensure proper data classification, data encryption, and data loss prevention and regularly revisit data held against the organisations data retention schedule
Although there are no specific GDPR email requirements for employers, several tools exist to mitigate the risk of employee data being disclosed. The most effective of these are GDPR-compliant Internet content control filters that not only prevent employees accessing websites hosting malware, but which also include malicious URL detection to prevent employees visiting websites constructed with the purpose of conducting a phishing attack. Training for employees on how to recognise a phishing attack is also critical. Apart from technical controls and employee training an employer should put in place an employee data protection notice, an acceptable use policy and a data protection policy which would set out in detail how the company processes the personal data of both employees and data subjects in general.
Other Tools to Assist with GDPR Compliance
Although the GDPR does not mention specifics about Email, as with any other personal data appropriate technical and organisational controls must be in place, Email should be covered by the organisations data retention policy, and training and policy guidance on email must be given to employees in the form of an acceptable use policy and an employee data protection policy.
Further to the above, with controls in place to prevent employees visiting unsafe websites and accessing internal communications without authorization, the risk of employee personal data or company data being disclosed is substantially reduced. Implementation of security tools and data protection policies also demonstrates a willingness by employers to comply with the GDPR regulations – a factor that may be considered by a GDPR Supervisory Authority should a breach occur, and which may reflect in any sanctions subsequently imposed.