Personal Email Account Use – What should you do if your employees use their personal email accounts for business purposes?

What are the risks?

When an employee uses their personal email account for business purposes or sends information to their personal email account, this leaves your company exposed to risks. This could be data protection issues, such as leaking personal data and breaching UK GDPR, or leaving the company unable to respond completely to a Data Subject Access Request and being reported to the Information Commissioner’s Office for non-compliance. There may also be commercial risk involved if commercially sensitive information is read by someone external to the business or if your company is in a regulated industry, you may not be able to demonstrate a complete audit trail, the company may then be investigated by the regulator where otherwise this may not have been necessary.

When it happens…

…what should you expect from your employee?

If an email has been sent accidentally, remind employees to use the “undo send” or “recall email” functions in Outlook or your equivalent email platform, this can save an accident from becoming a problem. This function is only likely to work if the recipient has not opened the email.

Encourage honesty from your employees if a personal email account has been used for any reason, as you will be much better placed to resolve any potential issues if you have all of the facts.

In a regulated industry your employee may need to report their use of a personal email account to your compliance department.

Employees should be reminded that they could be personally prosecuted for deliberately transferring confidential personal information to their personal email account.

…how should you respond?

Your company should agree a standard policy to follow when an incident occurs. Accidental use, where an employee has been honest, is very different from deliberate, routine and habitual use. Each incident should be investigated fairly and consider the frequency and the content of emails sent.

It may be that the incident is severe enough to consider disciplinary proceedings up to and including dismissal as a sanction for more serious personal account use. It’s important to factor in the individual’s position in the company; a senior manager could have a much bigger impact than your new graduate recruit.

In some circumstances, particularly in regulated industries, it may be necessary to complete a fitness or suitability re-assessment of an employee.

If using personal email accounts is a widespread issue across the company, it may be worth completing an internal review of all use of work and personal devices to ensure that the company is minimising its risks. If you are allowing your employees to use personal email accounts for business purposes your company may be liable for a fine of up to £17.5 million or 4% of annual global turnover (whichever is greater) for breaching both UK GDPR and the Data Protection Act 2018.

If personal data or other sensitive information has been shared your company should consider whether any individuals, clients, regulators, or the Information Commissioner’s Office need to be informed as this could be a data breach.

How to prevent personal email account use from happening

We all know that prevention is better than a cure. Whilst accidents do happen, to minimise the risks of personal email account use it is best practice to maintain either a standalone email policy prohibiting personal email use or include the directive in your wider IT and communications systems policy and ensuring that all employees have seen and understand your policy. Regular training and reminding employees of the risks and the procedure following personal email use would also mitigate the risks. There may also be steps you can take to mitigate the risk to improve working from home conditions (e.g., people sending content to their personal devices because they have better connectivity on home devices).

From an organisational perspective, if you are in a particularly at-risk industry, you should consider implementing technical safeguards into your IT system. An example of this would include setting up alerts which can be sent if emails are forwarded from corporate to personal accounts or perhaps consider blocking access to web-based personal email accounts like Hotmail or Gmail on work devices.

If you have any concerns or need advice on drafting your company’s communication or email policy, please contact our Employment Team.

Disclaimer: We at Memery Crystal (and our parent company RBG Holdings plc) support and encourage free/independent thinking in relation to issues which are sometimes considered to be controversial subject matters. However, the views and opinions of the authors of articles published on our website(s) do not necessarily reflect the opinions, views, practices and policies of either Memery Crystal or RBG Holdings plc.