Should Your UK Business Class a Work Email Address as Personal Data Under the GDPR?

In the era of digital communication, email is one of the most widely used communication methods in businesses. However, with the rise of the UK General Data Protection Regulation (GDPR), there are concerns about whether an individual’s work email address constitutes personal data. The GDPR came into effect in 2018, aiming to provide more robust protection for personal data and enhance individuals’ rights over their data. This article will explore whether a work email address can be classed as personal data under the GDPR and what your UK company should do to comply with the GDPR.

What is ‘Personal Data’ Under the GDPR?

The GDPR defines personal data as any information that relates to an identifiable living person.  

Some examples of personal information include the following:

• full name; 
• postal address;
• National Insurance number;
• passport number;
• telephone number; and
• car registration number.

Your company can only process personal data if it has a lawful basis for doing so under the GDPR or Data Protection Act. Failure to do so may result in the Information Commissioner’s Office (ICO) investigating a potential UK GDPR breach and considering a hefty financial fine of up to £17.5m.

‘Processing’ data involves common practices such as using, storing and erasing data. Aside from the examples above, your business should also be careful when processing data around past purchases, employees’ or customers’ interests, health preferences and other identifying qualities.

Is a Work Email Address Personal Data Under the GDPR?

The answer to this question is complex. Sometimes, a work email address may not be personal information, while in others, it may be classified as personal data. It all depends on whether the email address can be used to identify the individual.

For example, if the email address is generic, like info@companyname.com, it is unlikely to be classified as personal data. Here, the email address does not identify a particular individual and is for general inquiries and information. This may be considered business data.

It is worth noting that even if an individual’s work email address is not classified as personal data, it is still subject to data protection principles under the GDPR. For example, businesses must ensure that they process personal data lawfully, fairly and transparently. Furthermore, they must implement appropriate technical and organisational measures to ensure the security of personal data.

Why Does It Matter if a Work Email Address is Classified as Personal Data?

If a work email address is classified as personal data, it is subject to the GDPR, and businesses must comply with the GDPR requirements when processing the data. Your business must ensure a lawful basis for processing personal information, such as the individual’s consent or legitimate interest.

Businesses must also ensure that they have implemented appropriate technical and organisational measures to ensure the security of personal data, such as encryption, access controls and regular data backups. Additionally, individuals can access their personal data, have it corrected or deleted, and object to its processing in certain circumstances.

Any failure to do so can result in financial penalties from the ICO, reputational damage and legal action. The ICO website details their powers and decisions against UK organisations. Therefore, your company must understand whether a work email address is classified as personal data and take appropriate measures to comply with data protection law.

How Can My Business Comply With the GDPR When Handling Work Email Addresses?

To comply with the GDPR when processing work email addresses, your company must:

• determine whether the email address is personal data;
• obtain the individual’s consent in circumstances where your company does not have a legitimate legal interest in processing the personal data;
• Implement appropriate technical and organisational measures to ensure the security of personal data;
• provide individuals with their rights under the GDPR, such as the right to access personal data and have it corrected or deleted upon reasonable request; and
• keep records of processing activities, including its primary purpose, the categories of personal data you process and any third parties that you share the data with.

Key Takeaways

In conclusion, classifying work email addresses as personal data under the GDPR is complex. It depends on whether you can identify the individual through the email address. If a work email address is classified as personal data, then your company must comply with GDPR requirements when processing the data. This includes matters relating to consent, security measures and good record-keeping. Many business owners obtain expert legal advice regarding processing and handling sensitive personal data, contact details and email addresses to ensure GDPR compliance and peace of mind. 

If you need help correctly processing work email addresses, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.