5 Ways Your Emails Could Breach GDPR

There’s a lot of confusion in the air currently for small businesses surrounding GDPR!

So let us set the record straight when it comes to sending emails.

If you are sending emails with personal identifyable information (PII) (here’s the ICO’s guide on what actually counts as personal data.) you need to take adequate lengths to protect it like using an easy protection service for small businesses like My Protected Mail!

It’s that simple.

So let’s look at some of the ways your emails could be putting your business at risk when the GDPR regulations come into effect on the 25th May 2018:

1. Failing to use BCC (Blind Carbon Copy)

When sending to multiple recipients, unless emailing internally, you’ll need to use the BCC function.

This means that any given recipient will only see their own email address, the sender’s, and any recipients in the carbon copy (CC) section. All other recipients are anonymised. 

Failure to do this means that the name and email address (both PII information) are shared with other recipients without their prior consent! This is a breach of GDPR regulations.

2. Sending Sensitive Data to the Wrong Recipient

So many people are getting in hot water for this one! Not only is the distribution of sensitive data to an unintended recipient contravening the consent element of the GDPR. It is also likely to have a detrimental effect on the trust held between two parties, which can devastate a working relationship.

And, the ICO aren’t allowing the human error defence!

With the likes of UK law firm WilmerHale unintentionally sending details of  whistleblowing investigations at PepsiCo to a Wall Street Journal reporter. The information came from the US Securities and Exchange Commission, as well as internal investigators. This mishandled data had the potential to cause significant damage to PepsiCo’s reputation, and its leak certainly did no favours for Wilmer et al.

Be careful, therefore, to double-check both the data being sent and the email addresses of recipients, to ensure that sensitive information does not fall into the wrong hands, or you could be in a world of trouble. 

3. Un-Protected/Encrypted Attachments

It’s essential to encrypt critical information when sending it by email. This prevents interception, either by malicious or accidental means, and ensures that sensitive data is delivered securely.

This also includes making sure that you retain control over how the personal information is used once you have sent it too, by making sure the recipient can’t just copy, forward or blast out the sensitive information after you’ve sent it. You do this by encrypting the file rather than your computer or email system itself (we’ve written a handy guide on disk vs file encryption for small businesses here.)

My Protected Mail, for example, encrypts the file to make sure that it can’t be sent on to someone other than the intended recipient (you can’t even screen share the file via Skype, you just get a blank page!)

4. Preventing Opt-Outs/Automatic Opt-Ins

Under GDPR, people have the right to erasure, otherwise known as the right to be forgotten. If any recipient asks for their email address to be removed from a mailing list, you need to do it immediately. Also, if an individual requests that any data stored about them is deleted, you are legally bound to do so.

It’s also important to confirm active consent from the outset, you can no longer ask people to “opt-out” with an automatic opt-in box checked. As well as requesting manual entry of an individual’s email address, provide information about how their data will be stored, and ask them to check a box to confirm they understand and acknowledge this. 

5. Including PII Without Taking Precautions

This isn’t just related to encrypting your one email, be careful with chains, “reply all” and forwarding emails that may contain the original PII on to those without permission. If you add additional recipients to a discussion, perform a check of the email content beforehand, and remove PII if it is present.

Taking the proper precautions beforehand ensures that your business is safe from fines but also that you are taking the responsibility of your clients or customer’s data.

For more information on using an easy system that doesn’t require you to install anything, check out My Protected Mail.

or, 

Take our Free Training on Understanding GDPR Email Protection HERE

Where you’ll get: 

  • Free support to ask questions about solutions etc. 
  • GDPR Terminology
  • Industries prone to a GDPR breach
  • Methods of Protecting emails (free and otherwise) to protect against a breach

For Organisational Email Security, Check Out Our Course on Udemy HERE 

Where you’ll learn: 

  • What Email Security Involves (and why should you care?)
  • Email Security Terminology
  • GDPR Email Security Considerations
  • Ways to Keep Emails GDPR Compliant
  • How Much Can a Hacker ACTUALLY See on Your Machine (if you’ve been compromised)
  • Suspicious Email Warning Signs [Real Examples]
  • Signs You’ve Been Affected by Malware and Could Be Risking a Breach
  • What to do If You Click on a Suspicious Email Link
  • What to do If You Spot a Suspicious Email
  • Creating Secure Passwords
  • Types of Email Attack and What to Watch Out For
  • Types of Email Security Protection
  • What Hackers Can See When You Deploy File Protection
  • Setting a Password Policy
  • Protecting Your Network From Potential Attacks Via Email
  • Creating Email Policies
  • What to Include in GDPR Staff Training [For Managers]
  • How to Make Staff Training More Engaging