A Case Study
You’re busy in work and you need to drop someone a line about a non-work matter.
It’s fine to do that from your work email account, right?
Wrong… In fact, you could find that it’s a very career-limiting thing to do!
Take the case we undertook recently of Mrs Householder, who was organising building works at her home with Mr Builder, her contractor, and Mr Architect.
She worked in a large bank and sent them several emails from her work email account.
As the project progressed, suggestions by the architect caused the costs of the project to increase as the work expanded.
Mr Builder sent Mrs Householder the bill, but she emailed him that she wasn’t going to pay the extra amount because he had sent her an estimate at the start of the project which was £10,000 less.
Mr Builder tried to reason with her, but she was adamant. She was NOT going to pay it.
We were asked by Mr Builder if we could help.
Mr Builder said he would be significantly out of pocket if Mrs Householder didn’t pay in full.
When we looked at the paperwork we realised all the emails had come from Mrs Householder’s work email address.
What did we do?
We lodged a Subject Access Request with the large bank to see what data it held on Mr Builder.
The General Data Protection Regulation (GDPR) gives people the right to ask what information any business or organisation holds on them, how it was gathered and for what purpose, under what legal basis it is held, when it will be destroyed, and whether it has been shared with anyone. This applies to large and small businesses and organisations.
Here’s the interesting part in this story… that includes all emails within the organisation, including Mrs Householder's.
What did the bank do?
The bank received this SAR and passed it to their data controller to gather the information together and reply.
So, Mrs Householder’s employers discovered that she had been conducting her personal business from her work email account.
Her employers also realised that decision was going to cost them in terms of staff hours to investigate the request.
Yet, this wasn’t the worst part of the situation for Mrs Householder.
You would expect the investigation to find the emails Mr Builder had been sent by her.
Mr Builder’s name was also found in emails between her and Mr Architect.
These emails discussed tactics Mrs Householder could use to avoid paying Mr Builder for his work.
Not only did her employers see these emails, and take a dim view of them, the bank realised that under GDPR it had to release those emails to Mr Builder.
Suddenly, Mrs Householder no longer had access to her work email account.
She no longer works at the bank.
What’s the outcome?
Now, Mr Builder has an excellent case against Mrs Householder, should the matter go to court if she doesn’t pay. He also has the evidence to refer Mr Architect to the Architects Registration Board, the governing body for the profession.
All from one simple request for data.
Here’s the biggest irony: If Mrs Householder had used her own personal email account, Mr Builder would have no right to ask for any data or emails. GDPR only covers businesses and organisations, rather than individuals.
Let that be a cautionary tale!
Of course Mr Builder isn't actually a builder and the company wasn't a bank. Mr Architect wasn't an architect either... We have changed the circumstances to save any embarassment.