Back to GuidesGuides & Opinions

Buyers’ Guide: GDPR Privacy Compliance, Email Encryption


Technology Guide to Meet GDPR Compliance for Data Privacy for Email

In Europe, the new European General Data Protection Regulation (GDPR) creates an environment of heightened awareness of data privacy issues. It also brings an enforcement framework with enough teeth to change the way businesses that deal with consumer data protect consumer privacy. GDPR defines what is to be achieved rather than how the requirements should be fulfilled. Consequently, it does not state a requirement to use a specific method of encrypting email, but it does require the handler of consumer non-public and personal information to maintain not only privacy of that information, but also the ability to demonstrate compliance with the privacy requirements. These requirements are discussed detail in GDPR Article 5 Clause 1(f) and 2, and Article 32 Clause 1(a) and 1(d) which focus on the requirement to protect personal data during transmission with the ability to demonstrate fact of protection of personal data. An easy target for GDPR enforcement is watching how organisations protect the privacy of information transmitted to external parties. Email is the primary means of business information delivery today. As such, privacy related to email will be one of the principal areas to be inspected in a compliance audit and, therefore, it will be essential for regulated companies to retain auditable proof of fact of private email transmissions. Why is “proof” important? There are many ways to encrypt email, nearly all of which make it more complicated for the intended receiver to review the message. Therefore, a tendency for senders, unless there is consequence, is to not use email encryption systems that are in place and available for use. The fact of an email encryption system being available for use is not fact of use. “Fact of Use”, we believe, will be a key criterion in regulatory audits, and in any case, a basis to protect organizations from accusations of a data privacy or GDPR compliance breach. This paper marks a significant contribution to the GDPR compliance debate, by providing a robust assessment of the concerns and a powerful methodology to guide practical compliance. It also offers useful parameters that an organization should consider in its selection of an appropriate solution and a perspective on several of the leading offerings.