Affiliate Login
Customer Login
Freelancers, GDPR, Outsourcing & team, Virtual Assistant, Virtual Assistant

Inbox Detox GDPR risk: Why Viewing and Sorting Emails Is Processing Personal Data

Annabel Kaye
  • 5 min read

Share this post

Link Linkedin Facebook X-twitter
nbox detox GDPR compliance when a VA manages email access

Inbox detox GDPR compliance is something most businesses never think about. We all get overwhelmed and it is easy for a busy business owner or manager to start to lose important emails in the deluge of emails that hit out inbox.

It is a great relief to reach the point when you can finally get someone to sort all that out for you. Hiring a VA to do this is efficient, and often cost effective, leaving you free to concentrate on what you really need to be doing.

What feels like simple admin — opening, sorting and replying to emails — is, under UK GDPR, the processing of personal data.

If you or your VA manage an inbox, this applies to you.

Is Inbox Detox Data Processing under UK GDPR?

Many people think that viewing emails is not data processing. Somehow we have got the idea that processing means changing the information. But it is.

Under UK GDPR Article 4(2), “processing” includes consultation, retrieval, organisation, erasure and disclosure. The ICO’s definition of processing makes this clear:

When you:

  • Open an email
  • Search an inbox
  • Move messages into folders
  • Forward an email
  • Delete messages

you are processing personal data.

A name in email address is personal data.
A name in a subject line is personal data.
The contents of emails often contain much more.

Inbox detox is not “just admin”. Even if all the emails are from business owners that does not mean there is some special exemption for B2B. If a living individual can be identified this is personal data.

What Inbox Detox and GDPR Means for VAs and Their Clients

The client or their organisation is usually a data controller. If a VA logs into a client’s inbox to manage email, they are acting as a data processor.

That means:

  • There must be a written data processing agreement
  • Security measures must be appropriate.
  • Access must be controlled.
  • The client’s data privacy policy must reflect reality.

For a small business this does not have to be a massive burden but you can’t just ignore it.

Don’t Share Email Logins

If you are not technically minded it can seem easier to just share your log in, deactivate 2FA if you have it and get the VA to start. You wouldn’t be doing this if you weren’t already super busy and this doesn’t seem like a great moment add something to your to do list!

But failing to take the time to set this up properly creates a big hole in your data privacy and security and can potentially invalidate your cyber insurance or professional indemnity insurance. And because there is on audit trial this create a GDPR compliance failure – if your email gets hacked how can anyone know what you did, what your VA did and what the hacker did? Its all on one shared log in. You would never do that to your bank account details would you?

If you are currently sharing logins or planning to, please read this blog first:

Your VA should have their own login with delegated access. That way there is a system record of who did what AND there is no need to turn off other security measures such as 2FA.

How to Set Up Delegate Access Properly

Delegate access is when you let someone with their own log in into your email (or calendar) to manage your inbox on your behalf. There is still an audit trail of who did what. If you are a bit hazy on IT, it can be easier to get your IT person to set it up for you. But if you want to do it yourself you need to be logged in with full admin rights before you start the process.

If you think about it, you are the data controller and it is your job to keep control of who accesses data, so this is an important part of your role.

Outlook (Microsoft 365)

Microsoft explains mailbox delegation here:

At a high level:

  1. Open account settings.
  2. Select Delegate Access.
  3. Add your VA’s email address.
  4. Assign specific permissions (for example, Inbox only).
  5. Keep 2FA enabled.

Your VA logs in using their own account.
Permissions can be restricted and removed cleanly.
Activity remains traceable.

Gmail / Google Workspace

Use Gmail’s “Grant access to your account” feature. Here is a link to how to do that

Steps:

  1. Go to Settings.
  2. Open “Accounts and Import”.
  3. Select “Grant access to your account”.
  4. Add your VA’s Google email address.
  5. Confirm the invitation.

Again:

  • No password sharing.
  • 2FA stays enabled.
  • Access is controlled and revocable.

Transparency Is Not Optional

Inbox detox GDPR compliance is not only about security — it is also about transparency.

If your VA has access to your inbox, this affects other people’s data privacy. When people email you they won’t automatically expect external contractors to be viewing their emails.

Your data privacy policy should state that authorised team members or service providers may handle emails containing personal data.

Your email signature should not mislead recipients into believing every message is personally handled by you.

A simple line such as:

This inbox is monitored by authorised members of our team including service providers.

is a good place to start.

Transparency is a legal requirement under UK GDPR. It is also basic professional honesty.

Children’s Data and Sensitive or High Risk Information

If your inbox contains:

  • Children’s data
  • Health information
  • Safeguarding concerns
  • Therapy disclosures
  • Financial hardship details

you are operating in higher-risk territory.

Email is:

  • Easily misaddressed
  • Forwardable
  • Downloadable
  • Synced across multiple devices

For higher-risk data — especially children’s data — inbox delegation alone may not be enough.

In many cases, a secure client portal with role-based access is more appropriate than relying on email. For smaller business this can mean using sharepoint, googledocs or dropbox. But if you are using services that host outside the UK you will need to be sure you are getting the right consents/lawful reasons set up as moving data outside the UK can invalidate certain types of consent.

The more sensitive the data, the stronger the controls must be.

Please Don’t “Just Let Them In”

Once you have sorted out the tech, you still need the paperwork side of things to be right. Inbox detox GDPR compliance is not solved by delegation settings alone.

If your VA has access to personal data in your inbox and:

  • There is no written data processing agreement
  • There are no documented confidentiality obligations
  • There are no clear processing instructions

then you do not have compliant outsourcing.

You really need to sort out the contract, data processing agreement and update your data privacy policy

A proper contract should:

  • Define the scope of inbox access
  • Set confidentiality obligations
  • Specify security expectations
  • Cover data protection responsibilities
  • Align with your privacy policy

If you are not issuing your VA with appropriate data protection and confidentiality terms, that is the gap to fix first. VA KoffeeKlatch contract customers have a contract and a way to build a data processing agreement to fill this gap (with a bit of help from you) but not all VAs have contracts, never mind contracts designed to do all of this.

As the data controller it is your responsibility to properly contract and instruct your VA. While it is tempting to think – “they are in business – they should sort this out” the ultimate responsibility if something goes wrong will fall on you. It is better to take the time to do this properly rather than assume or hope.

KoffeeKlatch team hiring contracts are designed for the way you work today. You can find out more here

Latest

Related Blogs You'll Love

Check out these interesting blog posts.

Children’s data protection UK – ICO fines Reddit £14.47m for GDPR breaches involving children’s personal data Children looking at laptop
Children’s Activity Provider, GDPR
Children’s Data Protection UK: What the £14.47m Reddit Fine Means for Activity Providers
  • 5 min read
Woman reviewing invoice, working long hours but not making enough money
Business Contracts, Freelancers
If I Charge for This, Will They Leave? Agree It Before You Start
  • 5 min read
Facebook Group GPDR abstract picture of silhouettes
Coach, Freelancers, GDPR, Outsourcing & team
Facebook Group GDPR: What Coaches Need to Know Before Bringing a VA Into Their Community
  • 5 min read

Are you a Virtual Assistant?

Keep up to date with the latest VA-specific news about AI and contracts,  Data Privacy and GDPR and updates to our extensive range of Virtual Assistant contracts and documents by signing up for our weekly updates

We won’t add your details to any other list or share them. You can unsubscribe at any time. For more information see our Data Privacy Policy