removed emoji from filenames, Obsidian changed all relevant links
This commit is contained in:
parent
d316285a74
commit
68f1c38681
638 changed files with 710 additions and 3176 deletions
|
|
@ -0,0 +1,31 @@
|
|||
# Risks of using personal email accounts in the workplace
|
||||
|
||||
[Source](https://www.doyleclayton.co.uk/resources/news/Using-personal-emails-for-work-purposes/)
|
||||
|
||||
## Business risks
|
||||
- Loss of audit trails / - Grijs communicatie circuit, ook met externen (klanten, leveranciers, concurrenten)
|
||||
- Difficulties retrieving data in case of litigation
|
||||
- Increases exposure to hackers due to lower protection level of personal devices
|
||||
- Increases exposure to hackers due to less 'prudent' behaviour on personal devices
|
||||
- Het is voor attackers denkelijk gemakkelijke om toegang te krijgen tot een privé mailbox en de inhoud daarvan te gebruiken voor phishing
|
||||
... both may lead to security breaches
|
||||
- Data leakage when company data remains in the individuals mailbox after he/she leaves the company
|
||||
- Loss of access/control/IPR when employee has admin-rights on SaaS app and leaves the company (possibily to a competitor) – Ultimaker case
|
||||
|
||||
|
||||
## GDPR related risks
|
||||
|
||||
Several GDPR obligations might not be met when personal data is sent to private mailboxes or is available on personal devices:
|
||||
- obligation to inform data subjects in case of a breach (you do not know who they are)
|
||||
- obligation to have appropriate security safeguards in place to protect personal data – permitting use of personal email addresses for work activity is likely to fall foul of this.
|
||||
- the individual will become the data controller instead of the organization, without the required data protection controls
|
||||
- if the individual moves to or is located overseas, it might constitute unlawful cross border transfer.
|
||||
- harder to comply with Data Subject Access Requests (DSARs) because they will not know what data is held, where it has gone and how long it is retained.
|
||||
|
||||
The ICO’s [detailed DSAR guidance](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/) also raises the possibility that personal email accounts do, sometimes, fall inside the scope of a DSAR. The guidance states:
|
||||
|
||||
- A policy should restrict staff’s permission to hold information about customers, contacts or other employees on their own devices, in private email accounts or on private instant messaging applications
|
||||
- Staff accessing systems remotely (for example via a secure website) should not hold personal data on equipment the employer does not control
|
||||
- If staff may hold personal data on their own devices, they might be processing that data on the employer’s behalf, so this could be within a DSAR’s scope. This depends on the purpose for which the employer holds the information, and its context
|
||||
- The ICO does not expect employers to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a DSAR, unless the employer has a good reason to believe they are holding relevant personal data
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue