We exchange e-mails with clients, business partners, colleagues, and friends. Because of this, a lot of data is going back and forth. This creates the risk of personal data being sent to the wrong recipients. All it takes is one unfocused moment and a single click. Unfortunately, this is simply classified as a security breach because it concerns personal data. Here is what your organisation should know when it comes to personal data and e-mails.
On average, we send and receive more than 100 e-mails per day – both private and work-related. Some of these e-mails contain personal data, and that is why security breaches occur because of human error.
The greatest risk with outgoing e-mails is accidentally sending personal data to the wrong person, which results in a security breach. When it comes to incoming e-mails, the greatest risk comes from not ensuring that old e-mails that contain personal data are removed on a regular basis (also known as data minimisation).
But what exactly is a security breach when it comes to the GDPR? Simply put, when someone who should not have access to somebody else’s personal data, gets access, it is a considered a security breach according to the GDPR. For example, if you by accident click ‘reply all’ instead of just responding to the sender, then you are sending personal data to the unintended recipients as well.
Other situations include:
If we break this all down, we realise that these things happen when we act too quickly and forget to pay attention. Eventually, we all make these types of mistakes at some point – we cannot expect people to be 100% aware all the time. Still, the risk can be greatly reduced if we slow down and pay extra attention when we press ‘send’.
Generally, it is a wise choice to remind your team to go over the email text and recipient one more time before pressing ‘send’. For instance, we can all think about the following questions:
Additionally, you can also get your e-mail service to delay the sending of e-mails for you. This means that before the e-mail is sent, it will leave a couple of seconds open for cancelling. This gives you a chance to avoid sending an e-mail which could have triggered a security breach. It may sound weird, but this actually helps. It is often in the moment where you have pressed send that you think “Oh, did I attach the right file?”. Then you can stop the e-mail and check it before pressing send again. If your mail server can be configured for delayed sending, make sure to let your team know to ask a colleague or the people responsible for IT for help.
We are not in control of what others send us with e-mail. However, we are liable for how we deal with an e-mail that contains personal data. First, you need to immediately inform the sender that this could be a security breach. Additionally, the person whose personal data is exposed needs to be informed as well. You should also delete the data from your system.
When it comes to data minimisation, it implies that you do not process personal data longer than required. Be aware that while this is theoretically only seen as an old e–mail in your mail account, in practice, you are processing personal data if you can access it. In case your organisation has not issued guidelines on this, it is best to consistently delete old e–mails which do not make sense to keep. In this way, you help to secure your own personal data and that of other people. It is also a good idea to set yourself a reminder in your work calendar to delete old e-mails. Your e–mail inbox should not be a storage room for personal data. If you need to keep the data in your e-mails, then you should save it somewhere more appropriate.
In this blog, we discussed how sending personal data to the wrong person is considered a security breach according to the GDPR. Although you can delay the sending of e-mail and to perform data minimisation as possible solutions, it is always better to have the awareness from the start. Finally, if you have received personal data that was not meant for you, you should delete the e-mail, inform the sender, and the person whose data was leaked.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.