Applying GDPR principles to leavers’ inboxes

Do you know what the GDPR principles are and how to apply GDPR principles to leavers inboxes? When an employee leaves your organisation what are the first things that come to mind with regards to their Google Workspace account? Maybe it’s security and how to correctly deactivate the account so that it can no longer be accessible, or maybe it’s how you retain or transfer their data so you don’t lose important files or communications. But if you’re business is based in the UK or EU there are also GDPR principles that you need to contend with.

GDPR and mailboxes

Employees are increasingly becoming concerned by business practices where, for genuine business reasons, a mailbox of an exiting employee remains open after termination. Companies argue that this practice is for entirely legitimate business reasons, such as in relation to sales queries or order processing where another individual in the business can pick up on emails that are being replied to the exiting employee. However recently European DPA’s have refined their position on this practice. Below is a summary of what EU-based organisations should be thinking about when offboarding leavers.

With regards to the email address and mailbox of a former employee or contractor, you need to consider the following:-

• As an employer, you may invoke a legitimate interest (article 6.1 f) to leave a professional email account open for a certain period of time after the termination, as there may still be interesting emails coming in. However the employee should have the right to go through their mailbox and delete any personal emails or forward them to a private email address. Equally, any professional or business-related emails in the mailbox should also be forwarded to a colleague within the organisation in order to ensure the proper functioning of the company. This process of sifting through the employee’s email should be done in the presence of the employee, and before they have departed the organisation. If however, the exit is contentious, the intervention of a “person of trust” should be used. It is also important that the procedure is included within the company’s staff handbook as part of the IT policy.
  
• In order to comply with its obligations of data minimisation, the company should configure an auto-responder on the day that the employee leaves the company. The employee should be informed of this message but does not have the right to block or amend it. The message informs the email sender in hopefully neutral terms that the intended recipient no longer works for the company and provides the contact details of the person who should be contacted instead. Any autoresponder should only be configured for a reasonable period of time, which can range from 1 to 3 months depending on the context and the position and responsibilities of the employee.
  
• After this period of email forwarding, the email account, and mailbox should be completely deleted. Interestingly, automatic forwarding of emails to the named replacement after the mailbox is deleted is not considered an alternative solution.

These procedures are guidelines, not laws however it’s recommended that organisation try to stay within these guidelines.

How can Patronum help with GDPR compliance?

Patronum recommends that a GDPR-compliant backup solution, instead of downloading or archiving emails upon exit, is often the best starting point. Correctly configured backup solutions can be used to make sure that only accounts with a legitimate interest are retained.

With Patronum you can configure an offboarding policy that will automatically configure an auto-response, transfer Google Drive files to a Shared Drive, apply a Google Workspace Archive User license, and finally delete the Google Workspace account permanently.

With a Patronum Policy, you can streamline the offboarding process and make sure that everyone is offboarded in a structured and consistent fashion.