Email and GDPR: can you check your employees’ emails?
End users (in this case employees) and IT departments often see corporate email as being one of their major professional challenges, albeit for very different reasons. To end-users, the volume of email processed each and every day is often a time sink that can gobble away at their productivity, whereas to IT departments, it is essentially a necessary evil that has the potential to be a major threat to corporate security.
The need for an effective email monitoring strategy is now essentially taken as a given both practically and legally, however, both ethics and law (e.g. GDPR) require that this monitoring be conducted in a way that the corporate need for security is balanced with the individual employee’s right to privacy.
So, can you just check your employees’ in‐ and outboxes?
The importance of data protection impact assessments
A data protection impact assessment (DPIA) should be carried out before the implementation of any email monitoring programme.
Ideally, DPIAs should be carried out at regular intervals to ensure that the monitoring system remains fair and proportionate (and therefore legal) and it is highly recommended to undertake a new DPIA prior to making any changes to an existing email monitoring programme (certainly significant ones).
The purpose of the DPIA is to answer four, key questions.
What is the purpose of the monitoring?
These days it is nowhere near good enough just to reply “to keep the company safe”.
You need to be specific not only about the threats against which it will offer protection but also about the reason why email monitoring is an appropriate and proportional response to those threats.
Is the monitoring legally and ethically justified?
This question essentially leads on from the previous one. If you can show that email monitoring is a reasonable approach to countering valid threats, then you have a clear justification for it both in ethics and in law. If you do not, then you need to rethink your approach.
Does it cause an adverse impact to employees?
Given that security is essentially the opposite of convenience, any email monitoring programme is almost certainly going to cause some level of adverse impact to employees, for example by slowing down the sending and delivery of mail.
The key point, however, is that the adverse impact should be proportionate to the gains made and should be mitigated wherever possible, which may take a bit of lateral thinking.
For example, if you currently use email to send “self‐certification” forms after illness, then you may wish to switch to using an online form instead so that these communications are excluded from any monitoring and so that employees are offered a greater degree of privacy for what may be very personal matters.
Are there other, less intrusive, options for achieving the same aim?
In the case of email monitoring, the answer to this question may well be no, but it’s a good idea to ask it anyway just in case.
It’s also worth noting that new IT‐security solutions are being developed all the time, so you may find an alternative option at some point in the future; another argument for undertaking DPIAs on a regular basis.