GDPR and Accessing Employee Emails – 4 Key Questions

The ICO is quite clear when it comes to answering the question as to whether work email addresses are personal data. If the email address contains the name of the person it falls under personal data. ICO details on use of company email addresses and personal data can be seen here

End users (in this case employees) and IT Support departments often see business email addresses as being one of their major professional challenges. To end-users, the volume of email processed each and every day is often a time sink that can gobble away at their productivity. Whereas, to IT departments, it is essentially a necessary evil that has the potential to be a major threat to corporate security. Therefore, it can be a challenge to check business emails.

The need for an effective email monitoring strategy is now essentially taken as a given. However, both ethics and law (e.g. GDPR) require that this monitoring be conducted in a way that the corporate need for security is balanced with the individual employee’s right to privacy. Employers relying on consent as grounds for processing employee data are living dangerously in light of the GDPR laws

So, can you just check your employees’ in‐ and outboxes? First we need to explain the Data Protection Impact Assessment , the role of the data protection officer which provides us with the 4 main questions to ask.

Checking Emails – The importance of the data protection impact assessment
A data protection impact assessment (DPIA) should be carried out before the implementation of any email monitoring programme. What is a DPIA? According to the ICO a Data Protection Impact Assessment (DPIA) is a process to help you identify and minimise the data protection risks of a project. Switching on email monitoring with today’s software may be more stright forward than a few years back, but falls under the remit of a data protection risk.

Ideally, DPIAs should be carried out at regular intervals to ensure that the monitoring system remains fair and proportionate (and therefore legal). It is highly recommended to undertake a new DPIA prior to making any changes to an existing email monitoring programme (certainly significant ones). And of course emails are coming into your business from other business addresses and any change to configuration, storage or monitoring needs to consider the personal data of those external parties in business to business communication.

The ICO provides a DPIA template which can be downloaded from their site https://ico.org.uk/media/2258461/dpia-template-v04-post-comms-review-20180308.pdf

Who should be overseeing this assessment? Each private company now has to have an assigned Data Protection Officer. The role of the DPO has 5 key responsibilities, one of which is to provide appropriate and timely advice on data protection impact assessments. The role of the DPO is explained in more depth on GDPR-role of the Data Protection Officer

Protecting the company emails accounts and communications from unauthorised access, loss and compromise is a key component of GDPR compliance.  Although it may not on the surface look like this has anything to do with whether you can view your employees’ emails, not ensuring that their email has full protection could result in a data breach to third parties.Using cloud email services like gmail often include the use of third party apps, and can lead to email security breaches. Understanding that your business’ emails use, configuration and backup processes mitigates malware and randsomware.

The purpose of the DPIA is to answer four, key questions.

1. What is the purpose of checking company emails?

These days it is nowhere near good enough just to reply “to keep the company safe”.

You need to be specific not only about the threats against which it will offer protection. Also, about the reason why email monitoring is an appropriate and proportional response to those threats.

2. Is monitoring emails legally and ethically justified?
This question essentially leads on from the previous one. If you can show that email monitoring is a reasonable approach to countering valid threats, then you have a clear justification for it both in ethics and in law. If you do not, then you need to rethink your approach.

3. Will you cause an adverse impact to employees if you check emails?
Security is essentially the opposite of convenience. Any email monitoring programme is almost certainly going to cause some level of adverse impact to employees. For example by slowing down the sending and delivery of mail.

The key point, however, is that the adverse impact should be proportionate to the gains. Additionally, it should be mitigated wherever possible, which may take some lateral thinking.

For example, if you currently send “self‐certification” forms after illness by email, switch to using an online form instead. These communications are excluded from any monitoring. Offering employees a greater degree of privacy for what may be very personal matters.

4. Before you check emails – What are the options for achieving the same aim?
In the case of email monitoring, the answer to this question may well be no, but it’s a good idea to ask it anyway just in case.

It’s also worth noting that new IT security solutions are being developed all the time. Therefore, you may find an alternative option at some point in the future. Another argument for undertaking DPIAs on a regular basis.

Under GDPR legislation you can not switch on monitoring of employee emails. Due process has to be followed through the use of a DPIA.