What are an employer's obligations under the General Data Protection Regulation (GDPR) in relation to emails containing personal data?

The General Data Protection Regulation (2016/679 EU) (GDPR) applies to personal data contained in emails in the same way as it applies to other personal data. Employers should recognise that emails create particular difficulties, as it is hard to keep track of where personal data in emails is stored, whose personal data is being processed and how it is being processed. Employers should put in place policies and procedures to assist with GDPR compliance when processing data in emails, including in relation to storage, security and data subject rights.

One of the principles of the GDPR is that personal data should be kept for no longer than is necessary for the purposes for which it is being processed. Data controllers (ie employers) are required to set retention times for all personal data that they collect and to inform the data subjects (ie employees, job applicants etc) of this period, or the criteria used to determine it. Therefore, employers should have in place a clear policy on email storage, and ensure that all staff are aware of how to determine for how long an email containing personal data should be kept before it is deleted.

The employer could have a policy of deleting the email account of employees who have left the organisation, at the end of the relevant retention period. The purpose of keeping former employees' emails is likely to be for the defence of claims made against the employer, so the retention period should reflect the relevant limitation periods for potential claims. Deleting an email account will not deal with the fact that the sent or received copies of the emails could still be stored in other accounts, but could be seen as a proportionate way of dealing with former employees' emails.

Employers must ensure that personal data kept on an email system is secure. They should ensure that all staff that process personal data are aware that emails containing personal data must be forwarded to, or accessed by, only the minimum people necessary for the purpose for which it is processed.

Further, the GDPR provides individuals with various rights in relation to their personal data, including the right to access it, have it erased or rectified, or to restrict the processing of it. Employers will need to be able to identify where personal data about an individual is held to be able to comply with its duties in relation to these individual rights. One approach could be for the employer to state that personal emails relating to employees, for example emails between the employee and his or her line manager relating to sickness absence or performance, should be kept in a separate folder to work-related emails. Managers could be required to have separate folders for each employee. This would make it easier to delete such emails at the appropriate time and to respond to a data subject access request, for example.

The GDPR will come into effect on 25 May 2018.