GDPR and Generic E-Mail Accounts
The GDPR makes many things more complicated. Companies often need e-mail addresses that do not represent persons but topics. An online shop with an extensive assortment could use generic e-mail addresses according to the departments (email@example.com, firstname.lastname@example.org). Or which ones represent the processes (email@example.com, firstname.lastname@example.org). Especially frequent is the email@example.com. Who has access to these accounts? Who can view the personal information of the incoming e-mails and, if necessary, pass it on to third parties? This is certainly relevant in the context of the GDPR.
It is often necessary for several people to be responsible for one topic. This makes sense because employees sometimes get sick, take vacation or leave the company. Cloud enterprise solutions such as AWS, G Suite or Office 365 offer so-called group mailboxes for this purpose. Consistently organized, a CRM or helpdesk system such as Zendesk or OTRS could also be used for such requirements. However, the rather improvised topic e-mail account procedure is often found in small and medium-sized companies and should be reflected in the records of processing activity.
But what does that have to do with data protection and the DSGVO? When I write an e-mail to a company, I am communicating with a legal entity. If this communication is read by an unauthorized natural person, a former employee for example who has left the company in the meantime, then the protection of my personal data (name, e-mail address) is violated.
We therefore need a procedure that ensures that only currently authorized persons have access to communication on the topic e-mail accounts. Employees who leave the company are no longer part of the legal entity with which the customer communicates. These employees must therefore be deprived of access to the communication and thus to the company’s personal data.
Credentials for Everyone Responsible
One way to bring communication via topic mail to the employee is to provide all responsible persons with access data to the topic mail account. This has the advantage that the responsible person can see if a request has already been processed by another responsible person. All communication takes place via the topic address. Thus all responsible persons are always in the picture and can represent each other.
However, it becomes cumbersome if those responsible are to be deprived of access to the company’s topic communication. In this case, new access data for the account would have to be assigned and made available to all responsible persons, except for the departing employee. The remaining employees would use the new access data for the topic account from that point on.
Forwarding to personal accounts
Another variant is to forward incoming e-mails on the theme account to the e-mail addresses of the responsible employees. This has the advantage that the access can be controlled at one place: it is only forwarded to the group of people who are allowed to read along. If someone leaves the company, the forwarding is removed.
The process organization is more complicated. A procedure would have to be developed to ensure that all responsible persons know who is currently working on a process and with what status. Should this person in charge be absent due to illness, another employee could take over.
Digitization as GDPR Measure?
With the advance of enterprise cloud solutions and the evolution of data protection and data security, such organizational issues will hopefully soon be completely resolved for small and medium-sized enterprises. With Google’s G Suite, inbox groups can be defined as described at https://support.google.com/a/answer/167430. Something similar is offered by all major Cloud Enterprise platforms. If we disregard the fact that Google is a US-American company, we could classify this standardization as technical and organizational measure according to GDPR.
A major advance is thus emerging: the retention of competence in the form of data within the company, even if the relevant employee is absent for a short time or permanently leaves. The challenge of mapping competences and processes persistently in the company has become a major challenge due to the increasing individual work through home office and smartphone. Work is no longer done primarily at the workplace in the company, but increasingly from home and on the road.
Through collaboration suites of cloud providers, at best several employees have specific access to documents stored in the company’s cloud storage. This will hopefully prevent the company from irretrievably losing its major income planning for the next 5 years together with resigning Mr. Miller.