Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control, anywhere in the world. You have no way of knowing all the places where your company data is stored, or where it’s been transmitted. This is a breach of the Data Protection Act 2018 and GDPR; for which there are fines for companies and individuals of anything up to £18m.
It could be argued that there is a potential breach of the Computer Misuse Act 1990 as the information that should have been held on a company laptop and in company servers has been found in an employee’s system.
A personal email account is open to searches that are not permitted by the business and not covered by your company’s security policies; because employees may have agreed to Gmail/Hotmail Terms and Conditions (which allow for email content searches), to allow targeted advertising. You may have a good data privacy policy in place, but personal email accounts can bypass it with one click of the “Send” button. Again, you will be in breach of the Data Protection Act 2018.
Understanding the risks and implications of using personal accounts for business is not always apparent until there are Freedom of Information requests, internal investigations, or eDiscovery. In all these cases, those personal accounts may contain relevant information and as such have to be offered-up for search and retrieval. This is a breach of the Freedom of Information Act 2000
Even the act of discovery is difficult – Personal emails are not discoverable in standard legal discovery procedures. Google for example prohibits external scanning of users’ emails (several cases are currently under way), meaning the company will have to instruct the user to scan his or her email themselves and runs a big risk of spoliation sanctions. If the issue is regulatory, the company is likely to be found to be breaking the Law.
If there is a serious security incident that requires a legal investigation the police and courts can take measures to seize both business and private employee IT equipment, under the Police and Criminal Evidence Act 1984 if there is a chance that evidence has held on any equipment used in the course of business. The chances of getting equipment back is very slim as it is often bonded and retained as part of a criminal investigation.
Furthermore, the company can be facing a lawsuit under the Police and Criminal Evidence Act 1984 if it is deemed that evidence has been withheld because of the company not being able to access information no longer in their control on employee PCs or legal cases could fail as there would be serious doubt about the integrity of the evidence being presented and a Judge may consider the evidence to be inadmissible.
Any employee in a business sending personal/personnel information to their personal e-mail addresses automatically breaches the Data Protection Act 2018 and GDPR, and is subject to the same enforcements under the ICO which might results in heavy fines.
In short, sending an e-mail to a personal account, or using a personal account for business use is a legal minefield that is not worth traversing either as a business or employee as the damage to reputation can never be repaired.
If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).
If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Is it okay to ever use a personal e-mail account address for business, or send business e-mails to my personal e-mail address?
The short answer is ‘No!’ This is because it opens your business up to security, legal and professional risks that may lose you customers and can damage your reputation.
All businesses have the capability to access their emails on all sorts of equipment, smartphones, tablets, PCs and laptops (the latter two through the use of a secure VPN back to the business itself. So, there is no reason to resort to personal e-mail accounts for business use.
However, there are far greater risks to the business in terms of Security, Legal Compliance and Business Reputation that should be enough to deter employees from using such risky methods in the corporate environment.
What are the security risks of using a personal account for business?
Personal email accounts exist outside of the IT department’s control, therefore, they are not subject to backup, archiving, security or governance so using them for business purposes, is a clear violation of compliance regulations. Furthermore, as they are beyond the bounds of the IT department’s control there is no guarantee that e-mails are secure or will remain free of any viruses.
If e-mails held in personal accounts are not back-up there is a loss of auditable trails and opens the business and employees up to losing important information that the business must, by law retain as business evidence of good business practices – this opens the company up to suspicions of fraud.
Employees sending e-mails to their personal e-mail addresses can not guarantee the security of their e-mails, particularly if they use systems such as Hotmail and Gmail, which are notoriously vulnerable e-mail systems and have been hacked on many occasions. How would it look if you lost company information because of a data breach in an employee’s personal e-mail account? It would damage you reputation and may result in lawsuits.
Whilst you may have appropriate antivirus protection in place, can the same be said of employees on home computers? Typically, the answer is no, either because the antivirus has not been kept up to date or the type being used is not as effective as those used within the business. If an employee sends an e-mail to a client from their home system it could be infected by a virus (that you have not been able to control) and the reputation of the company is impacted.
And since personal emails are not stored on company servers, discovery for DPA/GDPR and Freedom of Information requests are seriously compromised presenting legal risks to your organization.
If you are concerned about your organisations’ data security then you may want to consider ISO 27001 (Information Security Management) or BS 10012 (Personal Information Management).
If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.
We’d love to hear your views and comments about the ISO Show, here’s how:
- Share the ISO Show on twitter or Linkedin
- Leave an honest review on iTunes or Soundcloud. Your ratings and reviews really help and we read each one.
Subscribe to keep up-to-date with our latest episodes:
Stitcher | Spotify | YouTube |iTunes | Soundcloud
Will ISO 27001 make me GDPR compliant?
ISO27001 v BS 10012
On its own No – this is a myth.
Information security is just one of Six principles of BS10012 and GDPR
“f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Whilst a very important principle, if you rely on just having ISO 27001 for GDPR compliance you run the risk of not being in full alignment with all the principles (and related articles and recitals).
Who needs to be involved in BS 10012?
Do all my staff need to be involved in BS 10012
Successful implementation is a team effort.
It starts with the top – Senior Management need to be fully onboard and committed to achieving data protection best practice. If this is secured, then everything else will flow from there.
In order to effectively identify all the personal data within your organisation you need to involve all areas of the business.
All too often businesses are concerned with just the data they may process for their clients – normally because they’re being questioned about data protection by their clients!
Or on the flip side, businesses are overly concerned with staff or finance data – excluding all the other client related personal data they may be controlling in the business.
With BS10012 – all personal data is captured and recorded to ensure that all risks are considered.
Thereafter, all staff require a level of data protection training to ensure that they understand their responsibilities in relation to personal data. Unfortunately, as has been proven many times before, people will always be the weakest link when it comes to data protection breaches. Ensuring all staff are trained is fundamentally one of the most important steps to take in implementing BS10012:2017
This extends out to key suppliers or partners depending on whether personal data is shared/ transferred outside of the business.
Beyond certification, we take great pride in delivering ISO support solutions which help our clients improve their productivity and profitability in a risk-controlled way.
We are your dedicated support team for all ISO compliance matters from internal audits to updating Health, Safety and Environmental Legal compliance.
Our 7 Steps to Success
The Blackmores ISO Roadmap is a proven path to go from idea to launching your ISO Management System.
Whether you choose to work with one of our isologist consultants or work your own way through the process on our isology Hub, we’re certain you’ll achieve certification in no time!
What our clients have to say
The support and advise I get from our assigned auditors is immense. Forward planning for the following year is great and they are flexible and always willing to help.
Kalil Vandi
“Blackmores have assisted us almost since the start of our adoption of the ISO 9001 quality standard. Their input has improved our processes since the start, and enabled our goal of continuous improvement to be achieved. The people are also extremely easy to get on with, and they really understand our business, giving us a great deal of confidence in their advice.”
David Gibson
“Blackmores are the perfect bridge between working on your ISO as an individual or company, to being audited each year. We find that any queries we have are covered and we feel sure that we have everything as needs be before going into an external audit.”
Mandy Welsby
“We have been extremely impressed with the service and support provided by Blackmores. There knowledge and assistance through out our ISO journey has been amazing!”
Philip Hannabuss
“Blackmores have really kept us on our toes with the broad scope and level of detail they apply to our internal audit schedule. They always stay abreast of ISO standard changes and help us to adapt our processes and documents to embrace these changes accordingly. Having Blackmores shadow our external audits provides invaluable confidence and peace of mind – would highly recommend their services!”
Phil Geens
“Our ISO 27001 certification project has gone so well, that there was no doubt in who we were going to ask to help us with our aspirations of becoming ISO 14001 certified. It’s been an absolute pleasure working with Blackmores, and we are really looking forward to working with them for the foreseeable future.”
Trusted by leading organisations across all sectors, we support companies of all sizes in any location.
Listen to our Podcast
Welcome to the ISO Show podcast, dispelling myths and sharing tips for success to improve your business with ISO Standards. Join us to hear interviews with successful business leaders as they share their ISO journey with you.
Get top tips via audio master classes “ISO Steps to Success” on the most popular ISO Standards.
