Allowing employees to use personal email accounts to conduct business means that your company’s business information is being stored on mail servers outside of your control, anywhere in the world. You have no way of knowing all the places where your company data is stored, or where it’s been transmitted. This is a breach of the Data Protection Act 2018 and GDPR; for which there are fines for companies and individuals of anything up to £18m.
It could be argued that there is a potential breach of the Computer Misuse Act 1990 as the information that should have been held on a company laptop and in company servers has been found in an employee’s system.
Understanding the risks and implications of using personal accounts for business is not always apparent until there are Freedom of Information requests, internal investigations, or eDiscovery. In all these cases, those personal accounts may contain relevant information and as such have to be offered-up for search and retrieval. This is a breach of the Freedom of Information Act 2000
Even the act of discovery is difficult – Personal emails are not discoverable in standard legal discovery procedures. Google for example prohibits external scanning of users’ emails (several cases are currently under way), meaning the company will have to instruct the user to scan his or her email themselves and runs a big risk of spoliation sanctions. If the issue is regulatory, the company is likely to be found to be breaking the Law.
If there is a serious security incident that requires a legal investigation the police and courts can take measures to seize both business and private employee IT equipment, under the Police and Criminal Evidence Act 1984 if there is a chance that evidence has held on any equipment used in the course of business. The chances of getting equipment back is very slim as it is often bonded and retained as part of a criminal investigation.
Furthermore, the company can be facing a lawsuit under the Police and Criminal Evidence Act 1984 if it is deemed that evidence has been withheld because of the company not being able to access information no longer in their control on employee PCs or legal cases could fail as there would be serious doubt about the integrity of the evidence being presented and a Judge may consider the evidence to be inadmissible.
Any employee in a business sending personal/personnel information to their personal e-mail addresses automatically breaches the Data Protection Act 2018 and GDPR, and is subject to the same enforcements under the ICO which might results in heavy fines.
In short, sending an e-mail to a personal account, or using a personal account for business use is a legal minefield that is not worth traversing either as a business or employee as the damage to reputation can never be repaired.
If you would like to learn more about ISO 27001, we do have a 2 part Podcast series discussing the journey to certification. Listen HERE.