Applying GDPR to Email - Important Information for Business Compliance
|Author: JETenterprises UK Limited||Published: 1st May 2018 17:37|
Applying GDPR to Email - What you need to think about before you press Send!
The new GDPR (General Data Protection Regulations) come into force on 25th May 2018. We have previously covered general preparation (read the article here) but this post is focusing on the ubiquitous email and what you need to think about to make sure you’re compliant.
Know Who You’re Emailing
We’ve all done it – hit Send and then realised that the Dave Smith that your email system has sent it to isn’t the one you *meant* to send it to. Whilst this is often just annoying, it can put you in breach of the GDPR if that email contains personal data. We often have a footer at the end of emails referencing “if you are not the intended recipient….” however the issue you will have under GDPR is that you are unlikely to be able to demonstrate that the ‘wrong’ individual has deleted the email and has not used any of the information contained within it.
So, if your email software does autofill / autocorrect when you’re typing in addresses, just take a moment to double check that it has, in fact, selected the one you want.
There are also various third-party add-ins that can help you to get it right.
Sharing Email Addresses Inadvertently
Another potential breach comes when you are emailing a group of people. Whilst we often just put all the addresses in the To line or the CC line, you do need to think about whether all of those individuals have consented to having their email addresses shared. This most often arises if you are emailing a number of people at different companies about an event or promotion etc. Unless you are sending to a pre-existing group (such as a project team) you should use BCC (Blind Carbon Copy) so that recipients cannot see the email addresses for others.
To CC or not to CC
Judging by most of our inboxes, it is fairly common practice to CC in lots of people to a lot of our emails. Apart from thinking about generally not sending people emails they really don’t need, if the email contains personal data then you need to consider who *really* needs to see that information. Look at the people you have copied in and ask yourself why that individual needs to see this email. If not, delete them.
Think about what happens if an individual invokes their right to be forgotten (providing that request is applicable), if you have sent personal data to lots of people it becomes almost impossible to ensure that it is all removed.
CORPORATE EMAIL SYSTEMS
Email Security Policy
Have an email security policy and ensure that all staff have read and *understood* it. This is your opportunity to set out your rules with regard to email, privacy expectations and do’s and don’t’s. No-one can say ‘I didn’t know’ if it is all set out at the beginning. Whilst it feels like we now have policies for everything including the kitchen sink, they do serve a valuable purpose in clearly documenting the company rules. You should ensure that all staff have to sign to acknowledge they have read and understood the policy.
We all recognise the icon for email as an envelope – however this is misleading. In reality, it should be a postcard as that is how open email can be. Antivirus software and firewalls don’t protect email in transit. If you want your email to be protected in transit – to be GDPR-compliant – the appropriate technical measure is email encryption.
Encryption can be done easily and without fuss. There are a number of solutions available depending on your organisation size, technology in use and the level of encryption you require.
Email Retention and Archiving
One major prerequisite for compliance with the GDPR is to maintain orderliness and transparency when handling personal data. That includes everything from data collection to storage, access, and processing to deletion/erasure of the data.
Email archiving is a crucial element of any data governance policy. Professional email archiving makes it significantly easier to carry out data governance at a company. Without using a professional email archiving solution, many companies have little control of where and how email is used and accessed. It is often unclear where email is stored, whether additional local copies exist, and whether email records are complete.
There are a number of solutions available – depending on your existing technology, size of organisation etc. Talk to us about your needs and we can help you determine your way forward.
Moving from Internal Email to Secure Chat
Corporate chat is a solution on the rise. Corporate chat also has the advantage that sent messages and files can be easily edited and removed.
With corporate chat, communication takes place in chat channels. A channel can be public, private, or 1-on-1. A channel has a name that describes the theme for matters to be discussed in the channel. This means that information and discussions end up in the right place, compared to email where everything, no matter what topic, ends up at the top of the receiver’s inbox.
This may be a good solution for mid to large companies. Again there are a few solutions out there – we can help you find the best one for your organisation.
The effect of GDPR on email marketing has probably had the most attention with lots of ‘is this the end of email marketing’ articles. However, you just need to take some simple steps to ensure that your campaigns are compliant with the requirements of GDPR.
If you contact people (business or consumer) with a newsletter, promotions or any other type of marketing email you must now ensure that you have a positive opt-in. No action is no longer accepted as consent.
Fixing this is really straightforward, you need to make sure your signup form does not have a pre-checked box for “sign me up”, the user must intentionally click to say yes. It is also advisable to have a ‘double opt-in’. This takes the form of a follow-up email asking the user to confirm their subscription – again, we’re asking the user to positively give consent. You must, of course, make sure that if they do not confirm the email that they are not added to the list.
Another element of this is that you cannot make subscribing a requirement if you are offering a downloadable PDF or similar. There can be an option to subscribe but it cannot prevent users from downloading what you have offered.
As you need to prove explicit consent under GDPR, it may be prudent to ask your subscribers to re-opt in to your marketing list. This will ensure that you have a record of them specifically giving permission. If you use a third-party solution such as MailChimp, they will record the date and time of the opt-in as well as where it originated from. A simple form sent by email will achieve this.
Ease of Unsubscribing
Another key condition is that it should be really easy for anyone to unsubscribe from your list. Every marketing email you send out should have this on the page. All the user should need to provide to be unsubscribed is their email address. They shouldn’t need to jump through hoops to achieve this.
A number of systems use email tracking – this not only confirms delivery and read receipt, but often also includes information on who the email has been forwarded to, if it was opened etc. Under GDPR this is not going to be acceptable as it is a form of ‘hidden’ personal data gathering. You would have to have consent, not only from the original recipient, but from every one they forward it on to.
A standard read receipt, that the recipient can choose to respond to or not, is fine as the recipient still has control.
So more to think about on your journey to GDPR compliance. As always, please get in touch if you would like to discuss solutions to meet your specific needs.
Please contact us on: 0800 242 54 24 or by email us at email@example.com
Article by JETenterprises UK Limited
For more information on their IT consultancy and services, please see their website: JETenterprises UK Limited