[Reading time: 1 minute]


I’ve been talking this week how email auto-forwarding is a common back door used by cybercriminals, and how one attack caused a data protection problem for at least one organisation.

The truth is that a discussion about cyber security is seldom complete without mentioning its close relation: Data protection.


Is it ever a bad time to talk about GDPR?

(This is a rhetorical question.)


Even if we doubt the cyber security risk that arises when our organisations’ emails are being automatically forwarded to third parties, we should be aware of the data protection risks.

And I don’t just mean the data protection implications of a cyber attack.

I also mean auto-forwarding that an employee has intentionally enabled, so an email sent to an internal email account gets automatically sent to an external email account.

Because, if the auto-forwarding could include emails (or email attachments) that contain personal data, then it is a data protection risk.


Ah sure, it’s OK – we have a data processing agreement

We may have appropriate contracts and data processing agreements with our HR, IT or payroll outsourced service providers, which may address the data protection implications of auto-forwarding emails to their email systems.

But what about the auto-forwarding used by our colleague Anthony**?

You know, the Inbox Rule that he set up in Outlook which sends all of his work emails to his personal Yahoo account, so he can work on his emails and files using his personal laptop?


So what?

We cannot say that we are taking appropriate steps to protect personal data if that data could be exiting through the auto-forwarding back door.

This is why we must all get sight of any auto-forwarding that is happening today in our organisations, and get restrictions in place to prevent or limit its use in the future.


(** Real name replaced to protect the guilty, but I encounter at least one ‘Auto-Forwarding Anthony’ in more organisations than you might imagine.)