Don't get on the wrong side of DPA 2018!

We frequently get asked what UK data protection regulations apply now that the Brexit transition period has ended? The simple answer is that The Data Protection Act 2018 (DPA 2018) continues to apply. The provisions of the EU GDPR were incorporated directly into UK law at the end of the transition period. The UK GDPR now sits alongside the DPA 2018 with some technical amendments so that it works in a UK-only context.

Alongside having an appropriate set of policies regarding data protection and privacy all companies need to be very aware of their responsibilities in respect of personal data and this includes data captured via websites through contact forms, and particularly company e mail. 

Many businesses assume that a company a mail account is their property, the address is but it is the responsibility of the board and, where assigned, the Data Controller, to manage any e mails associated with that address in full compliance with DPA 2018. Breaching these regulations can be costly as a recent case heard by the Belgian Data Protection Authority (“BDPA”) will illustrate as they imposed a heavy fine on an SME for retaining e mail records for a previous member of staff (https://lnkd.in/ep73s5G). The financial risks for a breach of the regulations may also be multiplied if e mail retention was routine and affected previous employees raise a class action. 

To comply fully with DPA 2018 we suggest you follow the guidelines:

Prior to dismissal

• On leaving an organisation ensure the leaver is allowed to collect or delete his/her private electronic communications 
• Advise the leaver that their mailbox will be blocked
• Activate an automatic response to confirm that the person has left and provide an alternate contact point
• Any GDPR or DPA controller must block the mailbox of a person who has left his/her position – and must do so at the latest on the day of their actual departure (i.e. make it unavailable.)

After departure:

• Maintain the automatic response for a limited time (typically 1 month but no more than 3 months)
• Delete the mailbox

If you would like further guidance on this or any other topic please get in contact. 

Post Script

I received a few direct messages asking how to approach a previous employer to obtain a copy of any personal e mails that had been received, and to ensure that their account is not being left open to receive and process these e mails. I suggest the following as a template:

'To whom it may concern,

Can you please, and with immediate effect:

• Provide a copy of all personal e mails in my [COMPANY NAME] e mail account [E MAIL ADDRESS], and all associated aliases up until the present day
• Delete my mailbox and all its contents and confirm to me that this has been done, and that no further copies of the data in my mailbox will be retained or processed now, or in the future
• Confirm that no e mails addressed to my e mail account will be received or processed now, or in the future.

Kind regards,'

All companies have an obligation to comply with data protection and privacy laws and I hope this works for you.

Useful links

https://ico.org.uk/global/privacy-notice/report-bad-practices-as-a-whistleblower/