Horrific thought... and majorly overlooked???

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Mike Halsey, Mar 6, 2018.

  1. Mike Halsey

    Mike Halsey UKBF Newcomer Free Member

    5 1
    Email... yep... we all receive hundreds of 'em every week (or day!).

    I've seen a ton of articles relating to the sending of email 'marketing' but what about just generally receiving and storing emails relating to day-to-day business? Has no-one considered this???

    According to GDPR:-
    • 'Personal data' constitutes anything that can identify an individual.
    • Retention of 'Personal data' requires explicit consent.
    Every single email ever sent to/from anyone WORLDWIDE contains a name and an email address and therefore has personal data that 'could' be used to identify an individual. Therefore EVERY email ever sent/received falls into scope of GDPR.

    I have never received 'explicit consent' from anyone that has ever sent me an email stating that I can retain that email for the purposes of contacting them in relation to anything the email contains.

    Am I therefore expected to delete all emails within a short time frame after receiving them?

    I'd be interested in anyone's thoughts on this.

    Thanks in advance.
     
    Posted: Mar 6, 2018 By: Mike Halsey Member since: Mar 6, 2018
    #1
  2. fisicx

    fisicx It's Major Clanger! Staff Member

    29,067 8,577
    If they are business emails and you have a good data protection policy you will be OK. Deleting the emails once processing is complete should be good practice.
     
    Posted: Mar 6, 2018 By: fisicx Member since: Sep 12, 2006
    #2
  3. Mike Halsey

    Mike Halsey UKBF Newcomer Free Member

    5 1
    'Storage' is also classed as 'processing' so does just retaining emails subsequently require them to be deleted?

    Also.. B2B communications in line with day-to-day business activities are 'not exempt' from GDPR.. The following article is very interesting... You'll have to google it as I can't post links yet...
    The GDPR and business-to-business email communications

    I don't believe having a good data protection policy makes any difference either. Retention of 'Personal data' without 'explicit consent' is specifically listed as unacceptable, irrespective of the nature of acqusition.

    Would be great to get some feedback from the ICO on this but they seem to be absent from any forums!
     
    Posted: Mar 6, 2018 By: Mike Halsey Member since: Mar 6, 2018
    #3
  4. Mike Halsey

    Mike Halsey UKBF Newcomer Free Member

    5 1
    ...perhaps an auto-response should be sent for every received email???

    It could state something like:

    "Many thanks for your email. To remain in compliance with GDPR we will be 'storing' your email (for a period of up to x years) using 'legitimate interest' as the basis of eligibility, on the understanding that you may wish us to reply to your correspondance within the context of our Business to Business relationship. Should you wish us to delete all correspondance received from you please inform us asap. If you are happy for us to retain your emails within the context of our relationship please send us an email or letter providing us with an explicit statement of consent"
     
    Posted: Mar 6, 2018 By: Mike Halsey Member since: Mar 6, 2018
    #4
  5. DavidWH

    DavidWH UKBF Enthusiast Free Member

    1,124 187
    There's lots of information on the ICO website.

    Surely general e-mails will be covered by Contract Consent

     
    Posted: Mar 6, 2018 By: DavidWH Member since: Feb 15, 2011
    #5
  6. Mike Halsey

    Mike Halsey UKBF Newcomer Free Member

    5 1
    Yeah... I think I've read most of it :)

    The lawful bases for data retention are; contract, legal obligation, vital interests, public task and... last but not least... legitimate interests.

    You can use contract or legal obligation if you are the 'provider' of a service but what if you're the receiver? ie, someone provides me with a quote for something and I want to retain that quote for several years to see how future service provision costs change over time? One option is to re-house the relevant info (anonymising it) and delete the email.... but I bet most people just keep the email because it's more time efficient... me included!

    The only other basis for retaining the email is 'legitimate interest' but you're required to notify the 'sender' that you are using that as a basis of retention for their details (ie their email address).
     
    Posted: Mar 6, 2018 By: Mike Halsey Member since: Mar 6, 2018
    #6
  7. Mike Halsey

    Mike Halsey UKBF Newcomer Free Member

    5 1
    I don't want to overthink this but... the danger of 'under thinking' could result in a pretty horrendous fine. ICO clarification on this would be helpful but, as with PCI... I doubt very much it'll come.
     
    Posted: Mar 6, 2018 By: Mike Halsey Member since: Mar 6, 2018
    #7
  8. Simon Plummer

    Simon Plummer UKBF Contributor Free Member

    81 21
    As long as you document say 'email communications from customers (for example) within your asset register, document how you will handle the information, retention etc you should be fine. If you think there is a potential for a large impact (based on quantity in this case) then do a privacy impact assessment. This is a great way to quiz your processes and identify risks, this can also then be the document that records the controls in place, lawful basis for processing and so on. Make sure that a good privacy statement is available (i.e. on your website) advising what you do with the data within email comms (statement doesn't just have to refer to website activities) along with clearly stating how they can get in touch should they want to exercise any of the rights listed (right to access etc) i don't see an issue. Ultimately, if you can justify why you hold the data, there is no problem, just document it.
     
    Posted: Mar 6, 2018 By: Simon Plummer Member since: Dec 6, 2017
    #8