Email and GDPR – Can you check emails of company employees?
End users (in this case employees) and IT Support departments often see corporate email as being one of their major professional challenges. To end-users, the volume of email processed each and every day is often a time sink that can gobble away at their productivity. Whereas, to IT departments, it is essentially a necessary evil that has the potential to be a major threat to corporate security. Therefore, it can be a challenge to check company emails.
The need for an effective email monitoring strategy is now essentially taken as a given. However, both ethics and law (e.g. GDPR) require that this monitoring be conducted in a way that the corporate need for security is balanced with the individual employee’s right to privacy.
So, can you just check your employees’ in‐ and outboxes?
Checking Emails – The importance of data protection impact assessments
A data protection impact assessment (DPIA) should be carried out before the implementation of any email monitoring programme.
Ideally, DPIAs should be carried out at regular intervals to ensure that the monitoring system remains fair and proportionate (and therefore legal). It is highly recommended to undertake a new DPIA prior to making any changes to an existing email monitoring programme (certainly significant ones).
The purpose of the DPIA is to answer four, key questions.
What is the purpose of checking company emails?
These days it is nowhere near good enough just to reply “to keep the company safe”.
You need to be specific not only about the threats against which it will offer protection. Also, about the reason why email monitoring is an appropriate and proportional response to those threats.
Is monitoring emails legally and ethically justified?
This question essentially leads on from the previous one. If you can show that email monitoring is a reasonable approach to countering valid threats, then you have a clear justification for it both in ethics and in law. If you do not, then you need to rethink your approach.
Will you cause an adverse impact to employees if you check emails?
Security is essentially the opposite of convenience. Any email monitoring programme is almost certainly going to cause some level of adverse impact to employees. For example by slowing down the sending and delivery of mail.
The key point, however, is that the adverse impact should be proportionate to the gains. Additionally, it should be mitigated wherever possible, which may take some lateral thinking.
For example, if you currently send “self‐certification” forms after illness by email, switch to using an online form instead. These communications are excluded from any monitoring. Offering employees a greater degree of privacy for what may be very personal matters.
Before you check emails – What are the options for achieving the same aim?
In the case of email monitoring, the answer to this question may well be no, but it’s a good idea to ask it anyway just in case.
It’s also worth noting that new IT security solutions are being developed all the time. Therefore, you may find an alternative option at some point in the future. Another argument for undertaking DPIAs on a regular basis.