richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Sparks/Risks of using personal email accounts in the workplace.md

2.8 KiB
Raw Blame History

Risks of using personal email accounts in the workplace

Source

Business risks

  • Loss of audit trails / - Grijs communicatie circuit, ook met externen (klanten, leveranciers, concurrenten)
  • Difficulties retrieving data in case of litigation
  • Increases exposure to hackers due to lower protection level of personal devices
  • Increases exposure to hackers due to less 'prudent' behaviour on personal devices
  • Het is voor attackers denkelijk gemakkelijke om toegang te krijgen tot een privé mailbox en de inhoud daarvan te gebruiken voor phishing ... both may lead to security breaches
  • Data leakage when company data remains in the individuals mailbox after he/she leaves the company
  • Loss of access/control/IPR when employee has admin-rights on SaaS app and leaves the company (possibily to a competitor) Ultimaker case

GDPR related risks

Several GDPR obligations might not be met when personal data is sent to private mailboxes or is available on personal devices:

  • obligation to inform data subjects in case of a breach (you do not know who they are)
  • obligation to have appropriate security safeguards in place to protect personal data permitting use of personal email addresses for work activity is likely to fall foul of this.
  • the individual will become the data controller instead of the organization, without the required data protection controls
  • if the individual moves to or is located overseas, it might constitute unlawful cross border transfer.
  • harder to comply with Data Subject Access Requests (DSARs) because they will not know what data is held, where it has gone and how long it is retained.

The ICOdetailed DSAR guidance also raises the possibility that personal email accounts do, sometimes, fall inside the scope of a DSAR. The guidance states:

  • A policy should restrict staffs permission to hold information about customers, contacts or other employees on their own devices, in private email accounts or on private instant messaging applications
  • Staff accessing systems remotely (for example via a secure website) should not hold personal data on equipment the employer does not control
  • If staff may hold personal data on their own devices, they might be processing that data on the employers behalf, so this could be within a DSARs scope. This depends on the purpose for which the employer holds the information, and its context
  • The ICO does not expect employers to instruct staff to search their private emails, personal devices or private instant messaging applications in response to a DSAR, unless the employer has a good reason to believe they are holding relevant personal data