The purpose of the DPIA is to answer four, key questions.
1. What is the purpose of checking company emails?
These days it is nowhere near good enough just to reply “to keep the company safe”.
You need to be specific not only about the threats against which it will offer protection. Also, about the reason why email monitoring is an appropriate and proportional response to those threats.
2. Is monitoring emails legally and ethically justified?
This question essentially leads on from the previous one. If you can show that email monitoring is a reasonable approach to countering valid threats, then you have a clear justification for it both in ethics and in law. If you do not, then you need to rethink your approach.
3. Will you cause an adverse impact to employees if you check emails?
Security is essentially the opposite of convenience. Any email monitoring programme is almost certainly going to cause some level of adverse impact to employees. For example by slowing down the sending and delivery of mail.
The key point, however, is that the adverse impact should be proportionate to the gains. Additionally, it should be mitigated wherever possible, which may take some lateral thinking.
For example, if you currently send “self‐certification” forms after illness by email, switch to using an online form instead. These communications are excluded from any monitoring. Offering employees a greater degree of privacy for what may be very personal matters.
4. Before you check emails – What are the options for achieving the same aim?
In the case of email monitoring, the answer to this question may well be no, but it’s a good idea to ask it anyway just in case.
It’s also worth noting that new IT security solutions are being developed all the time. Therefore, you may find an alternative option at some point in the future. Another argument for undertaking DPIAs on a regular basis.