4 essential email checklists covering GDPR, marketing, and cyber-safety for UK-based coaches and consultants. Let’s talk about emails, the good, the bad and the hair-raising.
They are an everyday tool for businesses of every type and size. The problem is, they are so commonplace it is incredibly easy to overlook just how many risks they can pose to our business and us, personally.
Looking at the main risk areas for coaches and consultants, I’ve put them under 3 main headings:
- GDPR-related risks (data protection)
- PECR-related risks (marketing)
- Cyber safety risks (security)
And you’ll find four essential email checklists in the article to help you stay safe.
GDPR-related risks (data protection)
Many small business owners of all types, not just coaches and consultants use email platforms like Gmail, Hotmail and so on for their business email needs. If you don’t send or receive any business-related personal data through it, that’s fine. However, if you do it’s not so good.
The simple fact is, that no standard email platforms are secure enough for you to send personal data through them. They weren’t designed with business users in mind.
It’s also worth remembering that sending emails in bulk from “domestic” email platforms is likely to restrict deliverability and could get your email address blacklisted.
Many email accounts get hacked but more about steps you should take to secure yours later.
As far as being GDPR-compliant is concerned, there are security settings you can use, including how long to retain emails, however, if you are handling personal data regularly through the account the settings are not sufficient.
My recommendation is to avoid sending personal data by email, as a general rule. That includes if you are sending password-protected documents. It’s better to use an encrypted file transfer service to do that e.g., WeTransfer or Smash (there are many). You can password protect and send the password by a different system. It makes it much more difficult for hackers because they would have to connect the various services you are using at the right time. The documents are held on the server for a set period of time and then are deleted automatically, which solves the issue of data retention for you.
What about if you handle large amounts of personal data or Special Category data?
There are also fully encrypted services that include email, file transfers and sharing or collaboration functionality. E.g., Galaxkey high-security encrypted service https://www.galaxkey.com/ . If you do have to share a lot of confidential data or documents, I would recommend using such a service.
Data retention is always an issue
Remember you should keep the amount of personal data you hold to a minimum. I know that many business owners do hold emails indefinitely, and even though the personal data may only be names and email addresses it is still worthwhile setting a deletion timescale for your emails. If you aren’t sure how to do that or are using your emails as a default filing system, you might want to consider keeping copies of important documents in your business filing system and setting a reminder to have an email de-clutter at regular intervals.
And don’t forget to use strong passwords and 2FA on your email systems regardless of how you use them.
This is where the significant risk sits. In fact, human error accounts for far more than all the other incident causes put together.
Then we come to the ways in which the human element can expose your business to a breach incident or cyber-attack via an email system. Here are some of the common mistakes that are made:
- Allowing auto-complete of email addresses
- CCing people who shouldn’t have been sent the email
- Sending to the wrong person
- Falling for Phishing emails by clicking on a link, attachment, or by replying to the sender
It’s so easily done by any of us.
Tips to help reduce this risk:
- To avoid the auto-complete or auto CCing, check the settings on your email platform and set them to disable this functionality unless you absolutely need it
- Have all your emails go to your Outbox and have a second look before you press Send
- If there is the option to recall emails use it but bear in mind it may not help by much e.g., Gmail’s recovery maximum is 30 seconds.
You should also check https://haveibeenpwnd.com from time to time to see if your email addresses have been included in any hacking, breach or data dumps on the dark web. You can sign up to be notified via your anti-virus (I use Norton and it does that, I assume others do the same) or your Firefox account. If your email has been included there will be recommendations on the steps you should take, e.g., changing your password is the standard first step.
Receiving emails – Phishing
As we all know, not all incoming emails are what they appear to be. Phishing attacks are getting more sophisticated all the time. There are many types of phishing emails to look out for. Here are some of the main ones (now):
- Emails with malware in links
- Emails that link to spoofed sites
- Emails that look like they come from a known contact or organization
- Emails with your personal information in them (social engineering)
- Unsafe attachments
- Emails asking for urgent action
Test your awareness
If you want to see how good you are at spotting fake emails, try the Google Phishing quiz to show you what can happen and teach you to spot some of these dodgy emails. https://phishingquiz.withgoogle.com/?hl=en-GB. If you have cyber security some companies have free training e.g., Hiscox
Privacy and Electronic Communications Regulations (PECR)-related risks (marketing)
The Privacy and Electronic Communications Regulations cover all types of electronic marketing communications, including telephone calls, messaging, and emails. This is what most penalties levied have been in relation to breaching. GDPR and PECR are closely connected, and the plan is to make the schedule of fines for PECR match those under GDPR – that means much bigger fines will be imposed!
PECR is also what spam falls under – unsolicited promotional communications of any kind are forbidden. You MUST have consent (and a record of it) to send such messages. In this case we’re talking about emails in relation to your marketing activities.
As we all have an email list of some sort for our business marketing purposes, this is important to be aware of the risks since the effect on your brand of getting it wrong can be catastrophic!
Dos and don’ts for your marketing
There are some easy dos and don’ts to follow when it comes to your marketing to potential clients and those are shown in the checklists below.
What about existing clients or enquirers
You can send marketing materials to your existing clients and those who have approached you with an enquiry about your business, have asked for a quotation, or even just downloaded a freebie from your website. Make sure the content is relevant to their needs and always include an unsubscribe option and you’re covered.
Here are your 4 essential email checklists:
4 Essential Email Checklists –
Marketing checklist – Dos:
- Get valid consent and keep a record of it (double opt-in is good)
- Check that the details you hold are still accurate, and renew consent from time to time
- Keep an eye on hard bounces – keep your database clean
- Periodically review and tidy up your database
- Provide relevant, valuable, and helpful content for your audience
- Write in a conversational way to encourage engagement (best practice!)
Marketing checklist Don’ts:
- Send promotional emails without consent
- Do not email anyone on your “do not contact list”
- Use external or bought lists where you don’t have a record of consent
- Use lots of pictures, links, or spammy words
- Do not email to ask why someone has unsubscribed
Email marketing checklist
Your email marketing platform is key. Here’s another of your essential checklists of things to do to keep it in good condition:
- Check your email marketing platform’s GDPR compliance (due diligence)
- Use double opt-in for email newsletters – your email marketing platform will have that option
- Refresh consent/check preferences from time to time
- Check your email stats and act on anything that will affect deliverability
- Use clear and accurate consent statements and keep records of who consented to what
- Maintain your lists/database – make regular checks
Cyber safety basics checklist
And the final of your essential email checklists. There are some oldies but goodies in this list. Remember, you can’t make everything 100% safe but you can make your systems more difficult for the bad actors to get into and then they’ll look elsewhere.
- Encrypt all devices
- Have device access PINs, passwords, patterns or biometric access set up (inc. mobile, laptop, router)
- Use MFA/2FA (multifactor or 2-factor authentication) *warnings about SMS for 2FA
- Use a password manager
- Be selective as to which online services you use
- Be aware of email phishing and other cyber attacks
- Be aware of social engineering (watch what you post online and who you share it with)
- Do not allow any unauthorized use or remote access to your device(s)
- Create a policy/procedures document
As always, if you need help with the GDPR-related parts of your coaching or consultancy business, you can contact me here, on my website. Or book a free 20-minute Introductory chat with me where we can explore the problem and decide on the best way forward for you and your business, together.