- On
- 31 Aug 2023
- Reading time
- 5 minutes
The General Data Protection Regulation is a legal act of the European Union, so it no longer applies to the United Kingdom. If you operate in the United Kingdom, you must comply with the Data Protection Act 2018, which has already enacted the requirements of the European privacy and security law. The new regime governs personal data rights, including the way companies handle the information classified as sensitive. It’s commonly referred to as the UK GDPR because, in practice, there’s little change to the chief data protection principles, rights, and obligations.
Since it’s impossible to run a business without processing personal data or exchanging it with other businesses, you must ensure there will be no misuse of information regarding individuals’ finances, medical history, and so forth. The Data Protection Act 2018 covers the processing of information relating to an individual. The definition mentions any information about a particular person, meaning that the term personal information can be broadly interpreted. As an example, a telephone, credit card number, or address constitute personal data. The question now is: Is an email address personal data?
An Email Is Personally Identifiable Information
Emerging technology platforms have transformed the way businesses operate, and people relate. Internet-based resources such as eCommerce and social media have generated an outburst of data and will accelerate the use of sophisticated analytics. The wealth of information enables organisations to gain insight into how to better interact with clients, but there are concerns that businesses don’t adhere to security practices and that the right to privacy isn’t respected. The privacy and security law applies to companies, large or small, that sell products and services to the British market. The principle of accountability is the foundation for the UK GDPR.
As the name suggests, personally identifiable information is any information that, when used alone or alongside other data, can be used to identify a living individual. It falls within the scope of the Data Protection Act 2018. The law protects personal data regardless of whether processing is done manually or automatically, so it’s technology neutral. Additionally, it doesn’t matter how the information is stored. An email isn’t always secure, so it’s recommended to avoid emailing personal data; if there’s no alternative, you must resort to encryption or secure verification techniques.
To answer the all-important question, an email address is personally identifiable information, so it can be used by itself or together with other data to identify a physical person. A message can be traced back to its sender by assessing the header that contains the email metadata or other routing information. Equally, a person’s email typically includes their first and last name and where they work. If it’s possible to identify a person either directly or indirectly, the Data Protection Act 2018 applies. Personal data is frequently a target for thieves, so it’s crucial for companies to keep their databases secure.
When Is an Email Address Not Considered Personal Data?
If information is anonymised once and for all or can’t be traced back to a living individual, it’s not considered personal data. Let’s take an example. An email address such as info@company.com or sales@company.com isn’t considered personal data because it’s a generic company address. It doesn’t identify a physical person. On the contrary, email helps clients identify a company; it can be used for, say, sending applicant resumes. Information concerning a business that is legally separated from its owners (shareholders) and those appointed to run it (directors) doesn’t represent personal data and doesn’t fall within the scope of the Data Protection Act 2018.
Revealing An Email Address Is a Breach of Privacy in Some Instances
Sharing an email address without prior consent can be a breach of data protection. The person in question can reach out to the organisation if they feel the company hasn’t handled the information dutifully and in line with good practice. Not all infringements lead to fines. The supervisory authority ( Information Commissioner’s Office) can issue a warning or suspend data transfers; it will not cause disruptions to your operations. For more information and guidance on your obligations, you can visit reliable sources from the internet. Equally, you can consult with a solicitor or a local data protection officer to know what systems or processes to implement to maintain compliance.
Sharing an email address without prior knowledge or express permission can result in unwanted marketing emails or targeted scams. It’s necessary to identify at least one legal basis for sharing data before proceeding to satisfy the accountability principle. An employer doesn’t require consent to use the work email address or access the messages for disciplinary purposes. Attention must be paid to the fact that even if an email address isn’t classified as personal data, it’s still subject to the principles of data privacy, so it’s vital to implement the necessary technical and organisational measures to ensure the security of personal data.
If A Risk Is Likely, It’s Imperative to Notify The ICO
If you suffer a data breach, you must report the incident to the Information Commissioner’s Office if a risk is likely. It’s imperative to report the data breach as soon as possible, typically within the first 72 hours of discovering the breach. It goes without saying that you must be precise and supply sufficient information, as it will be used to decide what happens next. When applicable, you can share the information with law enforcement officers and cybercrime agencies because substantial new or different information can help mitigate and resolve issues. Understanding and planning a response to a cyberattack is like putting together the pieces of the puzzle, 90% of which are in the hands of private companies.
Concluding Thoughts
Numerous data breaches involve the misuse of email addresses. An email address is considered personal data in most circumstances because it contains information tied to or related to an individual. An address such as name.surname@company.com will most definitely qualify as personally identifiable information. Personal data doesn’t include generic business addresses or any other general business information.
