GDPR & E-MAIL, perfect match or nightmare?

Are you used to send e-mails containing personal information without reflecting about it? Are you using your e-mail system as a storage for contacts and information? Unfortunately, you can’t do that much longer. When the new EU regulation on handling and storing personal data, GDPR, will be implemented, 25/5-2018 there is a risk for companies violating the law. GetIT Nordics senior consultants have some useful advice for your organisation and are happy to share our expertise.

Legislation today and tomorrow The today’s Swedish regulation, Personuppgiftslagen (PUL), aims to safeguard people’s personal integrity by regulating how personal information are allowed to be handled. However, in PUL there are exceptions in handling and storing personal data in unstructured form, for example information transferred via e-mails. This exception will be removed when the new EU regulation GDPR comes into play. GDPR states that you are only allowed to save the data that is needed and for the period of time necessary, in accordance with legal ground for personal data handling. In addition, individuals can use their rights to be forgotten. These changes result in that your saved e-mails need to be reviewed for personal data and you will need new routines.

The problems

When it comes to be GDPR compliant there are several possible problem areas concerning common e-mail routines. I have listed the most imported below.

  • It is easy to save everything

An e-mail is far too easy to save and most often we don’t delete old e-mails. Sorting out e-mails with personal data will force you to look into a large amount of old communications stored, including back-ups, to be able to delete information you don’t have legal ground to keep.

  • Back-up problem
    • In e-mail systems it is fairly easy to remove personal data, just search for e.g. your contact’s name and phone number and remove them. But when it comes to the back-ups it gets more complicated, since you cannot delete specific e-mails from back-ups. If you create a register of what to remove after a restore, this will be considered a register of personal data.
  • Personal data about several persons in the same e-mail
    • When you have personal data about several persons in an e-mail and one of them wants to be forgotten, while you have the legal demands to save personal data about the other persons, there will be a hard conflict of interest.
  • Traceability on forwarding e-mails
    • One main benefit of e-mailing is the ease of forwarding information. This will be a liability when it comes to GDPR. You are for example responsible for corrections and deletions of personal data you have forwarded to others. It can be almost impossible to live up to GDPR compliance if you have e-mailed information to many recipients.

New routines

In order to be compliant with GDPR:s demands when it comes to e-mail, I recommend the following new routines:

E-mail system

  • Work actively with information in e-mails
    • Use the e-mail system only as a transporter of information.
    • Do not store a large amount of information in your e-mail system just because it is easy.
    • Upon receiving an e-mail, you should decide if and what data you want to store.
    • Rinse out everything that you have no legal ground to keep anymore.
  • Only send information about one person in every e-mail
    • Avoid forwarding e-mails to multiple receivers in the same e-mail if you attach personal data.
    • Demand of people who send e-mails to you to do the same.
  • Create automatic cleaning routines
    • If possible in your e-mail system, create rules and automated routines to rinse out old e-mails in accordance with decided rules.
  • Document rules and routines
    • It is a requirement that you document all steps you have taken to comply with GDPR, and this applies to e-mails as well.
    • Establish rules and procedures applied to employees.
  • Educate your staff
    • Teach your employees about which systems to use for storing personal data instead of using the email system and how these systems work.

New systems

  • Find alternative systems for storing important data
    • Define which information must not be stored in your e-mail system.
    • Save personal data in a system that comply with GDPR regulations.
    • Besides being GDPR compliant, it will lead to the positive effect that it will be easier to find relevant information.
  • Use other systems to share data with partners
    • If you take the example of a resume for a work applicant, instead of sending this out to possible future consultant buyers, create a system where you can share the information on a read only basis. In that case when you need to alter or delete information you only have to do this once and in one place.

If you are interested of more information about this, or has any questions
Don’t hesitate to contact us!