Are your board members or trustees doing any of these three things with their emails, which are a risk to both your resources and relationships?

1. Using their personal or day-job email addresses for board-related work.

What’s the risk? If the external email provider experiences a breach, the sensitive issues your board discusses could be leaked.

And if you need to respond to a subject access request (SAR), whereby an individual can ask for copies of their data, you will need to rely on anyone using an external email address to supply access to their emails.

2. Writing emails as if they will be kept private forever, containing details they wouldn’t want to be shared with the person they’re discussing or with the public in general.

What’s the risk? Anything committed to email can be forwarded on, inadvertently or intentionally, and the contents may have to be shared in response to a SAR or Freedom of Information Request.

3. Keeping emails forever…and ever…

What’s the risk? Although it can be handy to refer back to emails, keeping them too long is a risk; the more emails you’re holding the more you could lose in a breach, and the more you need to trawl through, and possibly disclose, to answer a SAR.

How to reduce these email-related risks?

  1. If your organisation hasn’t set up email addresses for each of your board members or trustees on the organisation’s domain, this is a priority. And remind your board to use those email addresses, and no others, for board-related business.
  2. Write emails as if they are going to end up being shared; stick to the facts and stay civil. (Anything less civil can always be shared verbally!)
  3. A regular clear out of emails is crucial, and you can even set up email systems to automatically delete emails at a certain point.


For more information

Please contact Clare Paterson to learn more about how we can help you manage your data-related risks.