To ensure that outgoing correspondence does not fall into unwanted hands, and that the details on the envelope are limited to the necessary ones only, it is important to know some of the most important rules related to data processing.
First, remember about the data minimisation principle.
What does it mean? We process, and therefore use, only those data that are necessary for the task at hand. In this case, it will be the use of details of the recipient and sender of the correspondence. We will write on the envelope only such data that will guarantee that the letter will reach the correct recipient. In practice, when we send a letter, for example, to an office, these will be: the name of the person, his or her position and the address of the office. Note the often-repeated error while sending registered letters with return receipt. Many people mistakenly indicate a great deal of information on the back of the return receipt in the space for additional info about the sender that can reveal personal information or violate the secrecy of correspondence. Therefore, it will be sufficient here, for example, to indicate the abbreviation of the name of the organisation’s department (so that the return receipt goes to the person assigned to handle the case) or, for example, the case number or contract number, so that it is easy to identify which case the correspondence concerned.
Second, we should take appropriate safety measures.
It is not always possible to avoid the mistake of sending correspondence to a wrong recipient. However, with the application of appropriate safety measures, this risk can be minimised in the following way:
- We constantly verify the correctness of addresses in our recipient database. Whenever the address of our contractor's registered office changes or the contractor changes its delivery address, we should remember to update such information.
- We should apply the principle of double-checking any correspondence intended for mailing.
In large organisations, the best method is one where one person checks on the list of recipients, to which contractor or institution correspondence should be sent on that day, and another person, who is responsible for preparing letters for mailing, checks whether a letter was actually prepared and addressed to such a recipient. If, for organisational reasons, just one employee is responsible for correspondence, such an employee should keep, for example, two separate lists. The first should be the list of correspondence intended to be sent, and the second should be the list of already addressed outgoing letters. - We should not forget about training of employees. The most common reason for mistakes is the lack of awareness of the risk. Therefore, we should make employees aware of the rules related to the protection of data processed by the organisation and inform them of the consequences related to unauthorised disclosure of data. In addition to traditional training, short quizzes sent once a month to employees, in which they must, for example, identify a data protection risk or indicate which action will protect the organisation against a violation of the GDPR regulations, work well.
Third, we should remember what to do in case of a data breach.
Data breach through unauthorised disclosure in correspondence is one of the most common violations reported to the Personal Data Protection Office. We need to make sure that all the employees in our organisation know how to proceed in case of a data breach. What to do step by step?