Skip to main content

Not on my watch

Simon Clayton, chief ideas officer at RefTech, asks if your emails are as secure as you think they are...


Recently, a client asked us to do something illegal that you might be doing yourselves. Our account manager refused, which upset the client, but she was right.

The client had asked her to email over a spreadsheet of attendee data and she politely pointed out that this was against our company policy. The client wasn’t happy about that and continued to push for it, but she stuck to her guns (and proved that our training does work).

Emailing personal data is proof of a lack of organisational control and therefore forbidden under GDPR. Email is not secure because unless you have a complicated setup between you and the recipient, everything you send is unencrypted and so could be read by any unintended recipient or third-party who intercepts the communication. Spreadsheets aren’t secure either; anyone can crack a password protected spreadsheet in minutes with free tools from the internet.

I’m sure we have all sent an email to the wrong person because the wrong name popped up and you didn’t notice. Imagine doing this with the personal data of people who have trusted you with their passport number, or even medical records.

Surrey County Council was fined £120,000 over three data breaches that involved misdirected emails and North Somerset Council was fined £60,000 after five emails were sent to the wrong NHS employee, so not even the wrong organisation.

Email may be convenient and fast, but if you use it to share personal data you could be exposing your organisation to a potential investigation (or worse) from the ICO.