The facts about GDPR and email encryption

| 15th Oct 2021

All businesses communicate via email. It could be with partners, suppliers, customers, or other stakeholders. However, just like the 'old-fashioned' method of a letter sent in the post, anyone can read the contents of an email if it's sent to the wrong person or intercepted along the way.

An unencrypted email is open to interception, leaving all information within at risk. Depending on what's being sent, this could include names and email addresses, medical information, finances, and more. All very tempting to malicious actors, unintended recipients, and cybercriminals.

That's why email encryption is considered to be highly valuable under the General Data Protection Regulation (GDPR).

The need to protect email content under GDPR 

With GDPR, organisations need to protect the contents of emails. While data loss might occur from a direct attack, many security failures are often more innocuous. These could include:

  • Mistyping recipient email addresses
  • Failing to encrypt attachments
  • Employees using their personal email accounts
  • User error - most notably using cc rather than Bcc
  • Not encrypting or protecting emails at rest
  • Non-compatible encryption and decryption software between sender and recipient

Any of these failures will see a business break GDPR rules. Email content encryption, therefore, is highly recommended by these regulations. If your company is seen as not taking adequate measures to protect personal data, it'll be in breach of GDPR. 

Encrypting personal and sensitive data under GDPR

The Information Commissioner's Office (ICO) independently regulates the UK's data privacy and information rights. Here are their recommendations around encryption under GDPR:

  • Companies, specifically their senior management, must implement appropriate organisational and technical measures to process personal data securely
  • Encryption is referenced as an example of an appropriate technical measure
  • Organisations should have a policy in place governing how and when to use encryption
  • Staff training should also occur on the importance of encryption and when to use it
  • Organisations should use an encryption service meeting current standards during the storage and transmission of personal data

The risks of breaking GDPR rules

Why do data breaches and data loss events regularly make the headlines?  Because there's so much at stake when trust breaks down. Beyond this, there could be legal ramifications, hefty fines, and more.

Unhappy customers

It should go without saying, but it's hard to regain what was once there when trust breaks between businesses and customers. On top of this, group legal action by those affected is now a common repercussion of a significant breach.

The risk of fines

All data breaches that breaks regulations could come with a fine. The severity of the fine can depend on how serious the breach is and how well the business tried to mitigate any fallout. For example, timely and detailed notification to the ICO (and other relevant authorities) is essential — no more than 72 hours after becoming aware. 

Scrutiny on senior management

Senior management is responsible for GDPR policy, implementation, and culture. An investigation often follows a data breach and the findings will highlight underlying causes. These could include insufficient privacy policies, poor encryption, lack of data protection leadership, and a culture that doesn't value data protection. So, these individuals may be singled out.

Damaging public perception

The ripple effect from a data breach can reach your potential customers, too. The public perception of mishandled or stolen data has a significant amount of fear attached to it, which could result in lost sales, partners, and opportunities. 

Compliant encryption

In order to avoid a data breach, businesses need to get serious about email encryption. While many mail services have Transport Layer Security (TLS) built in, it's not enough to remain compliant. TLS will encrypt emails while in transit, but it won't protect them at rest, putting the data at risk from attackers. TLS is also designed to fail-open, meaning an email sends as plaintext if a secure connection can't be achieved.

Encryption isn't something you want to risk with personal data or other sensitive information. Look for tools that support TLS by adding additional encryption services. That will ensure that every email sends securely, no matter what protocols the receiver has available on their end. That will also show users when a secure connection can't be made and gives them the option for message-level encryption instead.

What about Brexit?

Brexit hasn't significantly changed GDPR guidelines. However, with the transition period officially over, it does mean that there are both UK and European GDPR policies to consider. If you have EU partners, customers, or offices, you should find out where you need to comply with both and ensure you stay up-to-date with changes. 

With workforces spread further than ever before and remote working essential to ongoing business success, encrypting personal and sensitive data via email is critical for compliance and safe data handling. Using both in-transit and content encryption and implementing encryption policies for data storage will help keep your data secure. 

Found this article helpful? Check out our email encryption information hub for plenty more.

FAQ

Does GDPR require email encryption?

The GDPR guiding principles require using technical and organisational measures to ensure companies process sensitive information compliantly. Their guidelines suggest encryption is one such appropriate measure.

Does GDPR require data to be encrypted? 

Encryption is not mandatory under UK GDPR. If you're unsure whether the data you process needs encryption or what the impact of its loss could be, it's wise to audit processes and the potential risks to the data you handle.

What are the seven principles of GDPR?

The UK's GDPR sets out seven key principles:

  1. Accountability
  2. Accuracy
  3. Data minimisation
  4. Integrity and confidentiality
  5. Lawfulness, fairness, and transparency
  6. Purpose limitation
  7. Storage limitation