Generic Mail Accounts and the GDPR
Companies often need mail addresses that represent topics rather than people. An online shop with an extensive range of products could use generic e-mail addresses according to the product categories (email@example.com, firstname.lastname@example.org) or which ones map the processes (email@example.com, firstname.lastname@example.org).
The decisive factor is that several people will be responsible for one topic. This makes sense, as employees are sometimes ill, on holiday or leave the company. Cloud enterprise solutions such as AWS, G Suite or Office 365 offer so-called group mailboxes for this purpose. A CRM or ticket system such as Zendesk or OTRS would be used for such requirements if they were consistently organised. The rather improvised topic mail address procedure is often found in the wild, however, in small and medium-sized companies and must be mapped in the processing directory.
What does all this have to do with data protection? When I send an email to a company, I communicate with a legal entity. If this communication is read by unauthorized persons, such as a former employee who has left the company, then the protection of my personal data is violated.
My mail to email@example.com, because of the broken sextoy that was sent to me, is very personal. I don’t want a disgruntled ex-employee to read along and get stupid thoughts about what you could do with this communication to wipe out erotic.com.
We therefore need a procedure that ensures that only currently authorized persons have access to communication via the topic e-mail addresses. Employees who leave the company are no longer part of the legal entity with which the person concerned communicates and must therefore be denied access to the communication channel.
Credentials for Everyone Responsible
A variant to bring the communication by topic mail to the person is to send the access data to the topic mail account to all responsible persons. This has the advantage that a responsible person can recognize if a request has already been processed by another responsible person. All communication takes place via the topic address. Thus all responsible persons are at any time in the picture and can represent themselves mutually.
However, this becomes cumbersome if a responsible person is to be deprived of access to the company’s topic communication. In this case new credentials for the account would have to be assigned and made accessible to all responsible persons except for the retiring person.
Forwarding to personal accounts
Another variant is to forward incoming mails on the theme account to the mail addresses of the responsible persons. This has the advantage that accessibility can be checked at one point: it is only forwarded to the group of people who are allowed to read along. If someone drops out, the forwarding is removed from the theme account.
More cumbersome is the process organization. A procedure would have to be worked out to ensure that all those responsible know who is currently working on a process with what status. If this responsible person should fail by illness, another could step in immediately.
Digitization as Organizational Solution
With the advance of enterprise cloud solutions and the evolution of data protection and data security, such organizational issues will hopefully soon be fully resolved for small and medium businesses as well. With the G Suite, you can define incoming mail groups as described at https://support.google.com/a/answer/167430. All Cloud Enterprise providers offer something similar.
A real advance is thus emerging: the retention of competence in the form of data in the company, even if the relevant employee is absent for a short time or permanently.
Collaboration suites from cloud providers provide at best several employees with specific access to documents stored in the company’s cloud storage. Hopefully this means that in the future it will no longer happen that the dedicated gross income plan for the next 5 years leaves the company irretrievably together with Mr. Müller.