In Short
-
A work email address is personal data under the UK GDPR if it can identify a specific individual.
-
Generic addresses (such as info@company.co.uk) are less likely to be personal data, but this depends on context.
-
If an email address is personal data, you must handle it in line with GDPR and PECR rules.
Tips for Businesses
Review the email addresses your business collects and uses, and assess whether they identify individuals. Only use identifiable work email addresses where you have a clear lawful basis, especially for marketing. Keep email lists up to date, provide clear opt-out options, and apply appropriate security measures. Regular reviews and staff training can help reduce compliance risks.
In the era of digital communication, email is one of the most widely used communication methods in businesses. However, with the rise of the UK General Data Protection Regulation (GDPR), there are concerns about whether an individual’s work email address constitutes personal data. The GDPR came into effect in 2018, aiming to provide more robust protection for personal data and enhance individuals’ rights. This article will explore whether a work email address can be classed as personal data under the GDPR and what your UK company should do to comply with the GDPR.
What is ‘Personal Data’ Under the GDPR?
The GDPR defines personal data as any information that relates to an identifiable living person.
Some examples of personal information include the following:
- full name;
- postal address;
- National Insurance number;
- passport number;
- email address;
- telephone number; and
- car registration number.
Your company can only process personal data if it has a lawful basis for doing so under the GDPR or Data Protection Act 2018. Failure to do so may result in the Information Commissioner’s Office (ICO) investigating a potential UK GDPR breach and issuing a hefty financial fine of up to £17.5m or 4% of your total annual worldwide turnover in the preceding financial year, whichever is higher.
‘Processing’ data involves common practices such as using, storing and erasing data. Your business should also be careful when processing data around:
- past purchases;
- employees’ or customers’ interests;
- health preferences; and
- other identifying qualities.
Email Addresses Under the GDPR
Whether a work email address counts as personal data under the GDPR is not straightforward. In some cases, it does, and in others, it does not. The deciding factor is whether the email address can be used to identify a specific individual.
For example, if the email address is generic, such as info@companyname.com, it is unlikely to be classified as personal data, as it does not identify a particular individual and is used for general inquiries and information. This may be considered business data.
However, if the email address includes an individual’s name, such as john.smith@companyname.com, it could be considered personal data. This is because the email address can be used to identify the individual and is used for work-related communication.
Additionally, email addresses that indirectly identify a person – such as initials combined with a department (e.g., jsales@company.com) – may still qualify as personal data if the size of the company makes the individual easy to identify.
When deciding whether an email address is truly generic, businesses should consider:
- whether the person’s role could make them identifiable;
- whether the job title linked to the email address points to a specific individual; and/or
- whether the department name, combined with other information, could reveal the person’s identity.
Even if an individual’s work email address is not classified as personal data, it is still subject to data protection principles under the GDPR. For example, businesses must ensure that they process personal data lawfully, fairly and transparently. Furthermore, they must implement appropriate technical and organisational measures to ensure the security of personal data.
Continue reading this article below the formWork Email Address Classification
If a work email address is classified as personal data, it is subject to the GDPR, and businesses must comply with the GDPR requirements when processing data. Your business needs a valid legal reason to use someone’s personal information, such as having their permission or a legitimate business reason.
Businesses must also take appropriate measures to protect personal data. For example:
- protect data using encryption, access controls, and regular backups;
- restrict access to personal data to authorised personnel only;
- enable individuals to access, update, or delete their personal data; and
- respect individuals’ rights to object to how their data is processed.
Organisations should review how they use work email addresses for marketing and communication purposes. Sending promotional content to identifiable email addresses without consent may breach the Privacy and Electronic Communications Regulations (PECR), which operate alongside the GDPR.
To help stay compliant, your business can maintain:
- up-to-date marketing preferences; and
- opt-out options.
How Can My Business Comply With the GDPR When Handling Work Email Addresses?
To comply with the GDPR when processing work email addresses, your company must:
- determine whether the email address is personal data;
- obtain the individual’s consent in circumstances where your company does not have a legitimate legal interest in processing the personal data;
- implement appropriate technical and organisational measures to ensure the security of personal data;
- provide individuals with their rights under the GDPR, such as the right to access personal data and have it corrected or deleted upon reasonable request; and
- keep records of processing activities, including their primary purpose, the categories of personal data you process and any third parties that you share the data with.
Key Takeaways
In conclusion, classifying work email addresses as personal data under the GDPR is complex. It depends on whether the work email address can be used to identify an individual. If it is considered personal data, your company must follow GDPR rules when handling it. This includes obtaining consent where needed, implementing proper security measures, and keeping accurate records.
To stay compliant, businesses should conduct periodic GDPR audits, review communication policies and ensure marketing practices align with both GDPR and PECR obligations.
If you need support with handling personal data, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Does the GDPR apply to company email addresses used for marketing?
Yes. If a company email address identifies an individual (e.g., jane.doe@company.com), then using it for marketing purposes requires compliance with both GDPR and PECR. This generally means the recipient must have consented to receive marketing communications, or your company must demonstrate a legitimate interest and provide an easy opt-out mechanism.
What should my business do if someone requests that their work email address be deleted? Under the GDPR’s “right to erasure,” individuals can request that their personal data – including work email addresses – be deleted when it is no longer necessary for business purposes or when consent is withdrawn. Your business should assess the request, confirm the lawful basis for retaining the data (if any), and respond within one month, documenting all actions taken.
We appreciate your feedback – your submission has been successfully received.
