"Does GDPR stop us from accessing work emails of an employee who has left the company?"

A question I get asked a fair bit. My response is always the same: "it depends". Mostly it depends on how you have set up your own internal policies and procedure to deal with GDPR. GDPR on its own would not stop you accessing this data.

If we look at it in its simplest form, the name and email address of individuals are both personal data, and therefore fall under the scope of the GDPR. The contents of those emails may identify the individual, but on the whole, will be commercially sensitive information that may be of value to business once the employee has left. This leaves a bit of a dilemma for a company that hasn't set up their policies and processes to deal with this type of scenario.

So, the things I would be considering (and this probably isn't everything, but a good start):

1) You have a legitimate interest in processing that personal data beyond the point that the employee leaves the company. Make sure that lawful basis, purpose of processing, and the email retention period is reflected in your record of processing, legitimate interest balancing test, and the Employee Fair Processing Notice.

2) As a general rule, you should ensure that commercially critical information/emails are stored in a secure, centralised area, rather than in one person's inbox. That area can have its own retention period.

3) You can't rely on consent for the processing of employee data, the balance of power is wrong, so the consent would not be valid.

4) Have a policy in place that work email is used only for that purpose, to negate the possibility of the email inbox containing personal information that you would not be expecting.

5) Remember that if you get a subject access request for emails, you do not need to include commercial information, only personal information. Within an employee's inbox it is unlikely that there will be significant amounts of personal information about him/her. (Any opinions about their performance is likely to be in the HR system or management inboxes and so your should definitely look in all those too).

6) Overall, be transparent. Let employees know (via the Fair Processing Notice) that the company will maintain access to their inbox once they have left and why you need to do it. It's not an unreasonable thing to do and employees should not be surprised that you need to do so.

If you haven't put these steps in place, or you have put overly strict internal policies in place stating that you won't access corporate emails, then you may be shooting yourself in the foot. On the one hand, a strict policy of deleting former employee emails will make SARs easier to handle (as long as you have documented the policy!). On the other, if that email inbox contained information you need to meet a client's expectations/bring in the next big deal/resolve a legal issue, then you are placing yourself at a disadvantage and incorrectly blaming the GDPR.

The GDPR is not there to put the brakes on your business. When implemented properly, it is there to stop undesirable behaviours and increase trust between you, your employees, suppliers and customers alike.