You're pressed for time and need to communicate with someone about something unrelated to work. 

    That's acceptable to do from your business email account, correct? Wrong! Indeed, you may discover that it’s an extremely career-limiting move! 

    Consider the recent situation of Mrs Householder, who was organising construction work at her home with the assistance of Mr Builder, her contractor, and Mr Architect, her, um, architect. 

    She worked for a large bank and communicated with them by email from her work account. 

    As the project progressed, the architect's proposals increased the project's expenditure as the scope of work expanded. 

    Mr Builder delivered Mrs Householder the bill, but she emailed him to inform him that she would not pay the additional £10,000 because he had initially offered her an estimate for the project that was £10,000 less. 

    Mr Builder attempted persuasion, but she was resolute. She had no intention of paying it. 

    Mr Builder asked if we could assist. 

    Mr Builder stated that if Mrs Householder did not pay in full, he would be severely out of pocket financially. 

    When we examined the documentation, we discovered that all of the emails originated from Mrs Householder's work email address. 

    What did we do? 

    We lodged a Subject Access Request (SAR) with the large bank to see what data it held on Mr Builder. 

    The General Data Protection Regulation (GDPR) gives people the right to ask what information any business or organisation holds on them, how it was gathered and for what purpose, under what legal basis it is held, when it will be destroyed, and whether it has been shared with anyone. This applies to large and small businesses and organisations. 

    Here’s the interesting part in this story… that includes all emails within the organisation, including Mrs Householder's. 

    What did the bank do? 

    The bank received this SAR and passed it to their data controller to gather the information together and reply. 

    Mrs Householder’s employers discovered that she had been conducting her personal business from her work email account. 

    Her employers also realised that decision was going to cost them, in terms of staff hours to investigate the request. 

    Awkward. 

    Yet, this wasn’t the worst part of the situation for Mrs Householder. 

    You would expect the investigation to find the emails Mr Builder had been sent by her. 

    Mr Builder’s name was also found in emails between her and Mr Architect. 

    These emails discussed tactics Mrs Householder could use to avoid paying Mr Builder for his work. 

    Not only did her employers see these emails, and take a dim view of them, the bank realised that under GDPR it had to release the personal data in the emails to Mr Builder. The bank did not care to spend any time redacting information from them, after all, it wasn’t their problem, and released the data in complete unredacted form. 

    Suddenly, Mrs Householder no longer had access to her work email account. 

    She no longer works at the bank. 

    What was the outcome? 

    Mr Builder now has an excellent case against Mrs Householder if the matter goes to court if she doesn’t pay. He also has the evidence to refer Mr Architect to the Architects Registration Board, the governing body for the profession. 

    All from one simple request for data. 

    Here’s the biggest irony: If Mrs Householder had used her own personal email account, Mr Builder would have no right to ask for any data or emails. GDPR only covers businesses and organisations, rather than individuals. 

    Let that be a cautionary tale about using work email! 

    Of course, Mr Builder isn't actually a builder, and the company wasn't a bank. Mr Architect wasn't an architect either... We have changed the circumstances to save any embarrassment. 

    Start the discussion

    Add a comment