Posted on

5 Ways Your Emails Could Breach GDPR

*This post may contain Affiliate Links which means we may earn from qualifying purchases you make via our website. Check out our Affiliate policy and what this means here

There’s a lot of confusion in the air currently for small businesses surrounding GDPR!

So let us set the record straight when it comes to sending emails.

If you are sending emails with personally identifiable information (PII) (here’s the ICO’s guide on what actually counts as personal data.) you need to take adequate lengths to protect it.

It’s that simple.

So let’s look at some of the ways your emails could be putting your business at risk when the GDPR regulations come into effect on the 25th May 2018. 

Edit: for the answers to commonly asked GDPR email questions scroll to the bottom of this article. 

*This post may contain affiliate links* 

1. Failing to use BCC (Blind Carbon Copy)

When sending to multiple recipients, unless emailing internally, you’ll need to use the BCC function.

This means that any given recipient will only see their own email address, the sender’s, and any recipients in the carbon copy (CC) section. All other recipients are anonymised. 

Failure to do this means that the name and email address (both PII information) are shared with other recipients without their prior consent! This is a breach of GDPR regulations.

2. Sending Sensitive Data to the Wrong Recipient

So many people are getting in hot water for this one! Not only is the distribution of sensitive data to an unintended recipient contravening the consent element of the GDPR. It is also likely to have a detrimental effect on the trust held between two parties, which can devastate a working relationship.

And, the ICO aren’t allowing the human error defence!

With the likes of UK law firm WilmerHale unintentionally sending details of  whistleblowing investigations at PepsiCo to a Wall Street Journal reporter. The information came from the US Securities and Exchange Commission, as well as internal investigators. This mishandled data had the potential to cause significant damage to PepsiCo’s reputation, and its leak certainly did no favours for Wilmer et al.

Be careful, therefore, to double-check both the data being sent and the email addresses of recipients, to ensure that sensitive information does not fall into the wrong hands, or you could be in a world of trouble. 

3. Un-Protected/Encrypted Attachments

It’s essential to encrypt critical information when sending it by email. This prevents interception, either by malicious or accidental means, and ensures that sensitive data is delivered securely.

This also includes making sure that you retain control over how the personal information is used once you have sent it too, by making sure the recipient can’t just copy, forward or blast out the sensitive information after you’ve sent it. You do this by encrypting the file rather than your computer or email system itself (we’ve written a handy guide on disk vs file encryption for small businesses here.)

4. Preventing Opt-Outs/Automatic Opt-Ins

Under GDPR, people have the right to erasure, otherwise known as the right to be forgotten. If any recipient asks for their email address to be removed from a mailing list, you need to do it immediately. Also, if an individual requests that any data stored about them is deleted, you are legally bound to do so.

It’s also important to confirm active consent from the outset, you can no longer ask people to “opt-out” with an automatic opt-in box checked. As well as requesting manual entry of an individual’s email address, provide information about how their data will be stored, and ask them to check a box to confirm they understand and acknowledge this. 

5. Including PII Without Taking Precautions

This isn’t just related to encrypting your one email, be careful with chains, “reply all” and forwarding emails that may contain the original PII on to those without permission. If you add additional recipients to a discussion, perform a check of the email content beforehand, and remove PII if it is present.

Taking the proper precautions beforehand ensures that your business is safe from fines but also that you are taking the responsibility of your clients or customer’s data.

Data Breach Report Blueprint & Template


Common GDPR Email Questions Answered:

We’ve been contacted with many GDPR email related questions so we thought we would share for you the most common ones:

Is sharing an email address a breach of GDPR?

This depends on two things:

Firstly, Is the email a personal one, like your personal Gmail? If no, does your company email address have your full name? e.g. [email protected]? If you’ve answered no, then it’s not a GDPR breach. If yes, answer then next question.

Do they (you) have permission or reasonable reasons to share your email. For example, to perform a service you’ve signed up to where sharing your email address is absolutely necessary? Have you given express consent and forgotten about it?

If someone has shared your email and is now marketing to you without your consent, it IS a GDPR breach and you can respond to them asking for an erasure request (request to get your data deleted).

When is my business allowed to share email addresses?

The short answer is that you’re not. Unless you get express permission from the customer (not automatically opting them in.) The only time you are allowed to share emails is when it is vital to the service you are providing. For example, sending email addresses to a courier for confirmation of delivery.

But even then, you must ensure that any third parties do not market or contact those personal addresses outside of the business need they are providing! Or you could also be liable.

When forwarding emails what do I need to consider with GDPR?

You should always air on the side of caution when forwarding private or sensitive information, even internally. Ask yourself, does the recipient need to see this information or should I remove sensitive PII from the email before I forward? And don’t forget to remove personal email addresses in the replies if they are not needed.

Can I use BCC and be GDPR compliant?

Yes, if you’re sending a mass email, BCC makes sure no-one else sees each other’s emails and therefore reduces the risk of a breach. Of course, if this happens regularly there is more chance of human error being made so it’s always best to use a mailing program.

Are you being GDPR compliant in your marketing? Check out this article on that HERE.

My employer shared my personal email address in the company. Is this a GDPR breach?

It can be. But the likelihood is, it’s more of a privacy issue that you should first discuss with HR. Internal company communications, particularly if you’ve provided your private email to be contacted on is a GDPR grey area and if you’re uncomfortable with this information being shared, you should first contact your HR or legal department to discuss.

I accidentally shared personal email addresses with our sporting group, is this a GDPR breach?

If your sporting (or any other social group) is classed as an organisation, rather than an informal group, then yes, it’s technically a GDPR breach. However, the practicality is that everyone who is part of that team or group has consented to being contacted and know the other members anyway.

If you’re concerned about your privacy, in that case, you should contact the head of the group and request them to use BCC in the future. If you were added to the list and didn’t give your permission, or know the group, then yes it’s a GDPR breach that you can report. But, again, this is a grey area.