GDPR Email Questions Answered:
We’ve been contacted with many GDPR email related questions so we thought we would share for you the most common ones:
Is sharing an email address a breach of GDPR?
This depends on two things:
Firstly, Is the email a personal one, like your personal Gmail? If no, does your company email address have your full name? e.g. firstname.lastname@example.org? If you’ve answered no, then it’s not a GDPR breach. If yes, answer then next question.
Do they (you) have permission or reasonable reasons to share your email. For example, to perform a service you’ve signed up to where sharing your email address is absolutely necessary? Have you given express consent and forgotten about it?
If someone has shared your email and is now marketing to you without your consent, it IS a GDPR breach and you can respond to them asking for an erasure request (request to get your data deleted).
When is my business allowed to share email addresses?
The short answer is that you’re not. Unless you get express permission from the customer (not automatically opting them in.) The only time you are allowed to share emails is when it is vital to the service you are providing. For example, sending email addresses to a courier for confirmation of delivery.
But even then, you must ensure that any third parties do not market or contact those personal addresses outside of the business need they are providing! Or you could also be liable.
When forwarding emails what do I need to consider with GDPR?
You should always be cautious when forwarding private or sensitive information, even internally. Ask yourself, does the recipient need to see this information. Should I remove sensitive PII from the email before I forward? And don’t forget to remove personal email addresses in the replies if they are not needed.
Can I use BCC and be GDPR compliant?
Yes, if you’re sending a mass email, BCC makes sure no-one else sees each other’s emails and therefore reduces the risk of a breach. Of course, if this happens regularly there is more chance of human error being made so it’s always best to use a mailing program.
Are you being GDPR compliant in your marketing? Check out this article on that HERE.
My employer shared my personal email address in the company. Is this a GDPR breach?
It can be. But the likelihood is, it’s more of a privacy issue that you should first discuss with HR. Internal company communications, particularly if you’ve provided your private email to be contacted on is a GDPR grey area and if you’re uncomfortable with this information being shared, you should first contact your HR or legal department to discuss.
I accidentally shared personal email addresses with our sporting group, is this a GDPR breach?
If your sporting (or any other social group) is classed as an organisation, rather than an informal group, then yes, it’s technically a GDPR breach. However, the practicality is that everyone who is part of that team or group has consented to being contacted. They should know the other members anyway.
If you’re concerned about your privacy, you should contact the head of the group. and request them to use BCC in future. If you were added to the list and didn’t give your permission, or know the group, then yes it’s a GDPR breach..