GDPR Compliance for Emails

How to Ensure GDPR Email Compliance Securely and Effectively

Ever since the European Union’s privacy law, General Data Protection Regulation (GDPR), came into effect on May 25, 2018, it has become a platinum standard for email privacy and compliance. Though it didn’t kill email as the doomsayers predicted, it continues to be a cause of headache for some organizations when it comes to collecting, storing and sharing personally identifiable information over email.

GDPR has raised the bar to a higher standard of consent for subscribers based in the EU and redefined the rules - meaning how you have collected consent from EU subscribers in the past is not compliant anymore. Also, though the UK left the EU on December 31, 2021, it came out with its own version known as the UK-GDPR, which took effect on January 31, 2020.

In the past most of us never thought of email as subject to privacy compliance but our mailboxes in fact contain a trove of personal data - from names and email addresses to attachments and conversations about people. All of this is covered by the GDPR’s strict new requirements on data protection. Any non-compliance can hit you with a fine of €20 million or 4% of global revenue, whichever is higher, plus compensation for damages.

So, what does GDPR say about email compliance for your EU and UK clients? In this article, we are going to focus specifically on email compliance related to digital security.

What Does GDPR Say About Email Compliance

First off, any organization – companies, micro-enterprises, charities – that handle personal information of EU and the UK citizens is subject to GDPR. And this includes not just organizations within the EU or the UK but organizations across the globe offering goods or services to people there.

GDPR’s email compliance is focused on three core matters:

  • Safeguarding personal data
  • GDPR-compliant archive for quick search and retrieval
  • Restoring availability and access to personal data after a breach.

One common thread connecting all is data protection, and by extension, email security. GDPR presented an enormous challenge for businesses to bolster their digital security defenses, and one of the data protections measures wholeheartedly recommended include email encryption!

What Does GDPR Say About Encryption

There are several instances where encryption is cited in GDPR as a protective measure to secure the data in emails:

  • Article 5 Clause 1(f) calls for maintaining the confidentiality of personal data, stating, “personal data shall be processed in a manner that ensures appropriate security of the personal data...using appropriate technical or organizational measures (‘integrity and confidentiality’).”
  • Article 5 Clause 2 creates the need to maintain demonstrable proof of compliance with the confidential treatment of personal data, stating, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
  • Article 32 Clause 1(a) specifies use of encryption to secure personal data, stating, “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data.”
  • Article 32 Clause 1(d) calls for regular assessments to ensure the security of the processing, stating, “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
  • Recital 83 mentions encryption as a means of mitigating risk.

So, per these clauses, any email you send containing personal data, is subjected to GDPR. The regulation stipulates encrypting such data when it comes to maintaining a record of ‘proof of data privacy compliance’ and automated, demonstrable proof on a message-by-message basis with accountability being a key requirement. It also applies to the collection and storage of any data of people in the EU and the UK, whether you are a European business or based outside Europe.

This goes on to prove that if you use encryption, you have an obvious reliable way to prove compliance to GDPR.

How to Ensure GDPR Compliance

Per GDPR stipulation, any personally identifying information needs to be encrypted to prove compliance. But what constitutes personal data? Basically, anything that can identify an EU or UK resident or citizen, such as:

  • Name
  • Address
  • Online identifier
  • Health records
  • Financial information

While talking about email encryption, it is often assumed that protection must be applied while sending an email. But the GDPR email compliance is more than that. The data must be encrypted in transit (traveling from one network to the other) as well as at rest (sitting in files or databases).

Technology Evaluation Criteria to Meet GDPR Compliance

Now that we know about encryption at rest and encryption in transit, let us deep dive into five evaluation categories considered as the most important elements of an email encryption technology or service.

Category #1 Protection

  • From interception: The email message must be protected in transit across the Internet, regardless of server, provider, or settings of your recipient’s email client. Protection must also be extended against common interception tactics, such as a TLS downgrade attack (one which tricks the client and server into using older protocols or insecure parameters for encrypting the information in transit) that is most successful when there is no built-in fallback to another encrypted delivery method.
  • From eavesdroppers: The email service must offer an option to protect the message throughout as it transfers from sender through sender’s email client right till the recipient destination. Eavesdroppers come in several categories - curious staff, hackers, even practices of an outsourced provider that has access to email. Some email providers (for the sake of marketing) have the practice of analyzing the message before it is read by the recipient to bundle their free services along with the message.
  • From socially engineered leaks: Protection from an imposter email received by the HR, finance, or other business functions that deal in customer sensitive information. These emails lure employees into replying with sensitive data attached. These are commonly referred to as “phishing” tactics or “whaling” attacks. America’s Federal Bureau of Investigation has termed them as Business Email Compromise (BEC) attacks.
  • Automated rules: Some email clients may prefer the option for a sender to direct the server to encrypt a message using content added to the message before sending. Examples include a keyword in the subject field, or content in the message added at the server.

Category #2 Utility

  • Simple for the sender: If the service is too complicated for the sender, the sender may ultimately not use the service.
  • Simple to use for the recipient: If the service requires a lot of complicated steps to set up and retrieve messages, the recipient might not pick up the sender’s message, resulting in failure of compliance on the sender’s part.
  • Peace of mind: Must provide the sender with proof of delivery and proof of fact of encrypted delivery to treat the information as sensitive and transmit it securely to the recipient.
  • No storage: Most companies prefer not to have another location where messages in transit are stored as this creates a potential risk factor. For instance, recipients rarely return to delete the document after transmission if the sender uses a file sharing service to transmit a sensitive document. The document remains accessible at the shared link for an extended period, making it riskier.
  • Flexibility of configurations: The service must be flexible to configure. Unnecessary complicated set-up procedures drive the users away, leading to exchange of messages in an unsafe manner and resulting in failure of compliance.

Category #3 Audit-Ready Compliance Proof

  • Certified proof of compliance: Considering GDPR fines for a data breach, it is critical for the sender organization to have an audit-ready proof of fact of encrypted delivery, on a message-by-message basis.
  • Independent authentication: The sender organization must be able to offer third-party verifiable evidence to protect themselves in case of the recipient claiming a data breach.

Category #4 Empowering Users

  • Tracking: The email service must offer open tracking and secure file download tracking to provide insights and data to the sender.
  • Proof of delivery: For delivery of sensitive information, such as account statements, or other personal data, the service must offer timestamped proof of delivery to ensure that the recipients got it.
  • Secure reply: The service must offer an option to the recipients to reply to the message securely, in an encrypted manner.
  • Recorded consent: The email service must also offer a way to record the recipient e-signoff or consent to data protection disclosure.

Category #5 Measurement

  • Reports: The email service should offer automated reports for administrators to monitor who in an organization is using secure messaging services and who needs more training, as well as where to close potential security gaps.
  • Training metrics: The service should give reports that can track change in use, can measure the success (or failure) of staff security training programs and offer insight into areas of potential security gaps.

Can you think of an email service which meets all these technology criteria and delivers complete GDPR compliance? RMail, a global email security solution from RPost, comes to mind!

How RMail Ensures GDPR Email Compliance

RMail has one of the best approaches when it comes to simplifying the user experience and yet permitting automated fallback options, in case another method of secure delivery is required, or desired on a message-by-message basis. Let’s see how.

Simple to Use for the Sender and the Recipient

A sender just needs to install a simple plug-in to start using RMail right away – no complicated setups or multiple steps, which encourages more adoption. Similarly, the recipient does not need to install or download anything. They will receive a secure message from the sender in their inbox with a “Registered Email” and “Encrypted” markings in the subject and banner with guided instructions, so the email stands out, indicating that the message is encrypted.

Depending on the “encryption” settings selected by the sender, the recipients can either just click the file to read the message or enter a password shared by the sender to decrypt messages. RMail also offers recipients the option to set their own password to decrypt. The recipients can reply securely as well.

RMail ensures privacy even in the extreme event of the recipient mailbox being hijacked, with the messages and attachments remaining encrypted-at-rest in the recipient inbox. The attachments can be opened outside the email inbox in any browser or PDF reader. They are embedded inside the encrypted PDF, which is also accessible from a button, and are digitally signed.

GDPR Track & Prove Email

Email services often battle the “secure encrypted email dilemma,” meaning how to deliver the message securely without negating key benefits of email – simplicity and ubiquity. There is often a trade-off between security and simplicity – and often “simplicity” loses the battle. RMail is over these limitations as it offers top-rated email encryption without confusing the users with complexity.

GDPR Encrypted Email

Auditable Proof of Compliance

RMail ensures there is no “halfway” when it comes to compliance and gives the sender an auditable record of precisely what message content (body text and attachments) was in fact sent and received in an encrypted manner to each intended recipient. For some notices, it will also tell you precisely when the message was received and opened – all through a forensic audit trail with court-admissible, timestamped proof in the form of a “Registered Encryption Receipt.”

In case of any dispute, anyone in possession of this receipt is able to verify the authenticity of the data it contains, instantly and on-demand. RPost’s cryptographic methods are used to determine if information in the receipt has been altered, employing hash algorithms and RSA/PKI signatures.

This is extremely important, because in a data breach after the email has reached the recipient (in the recipient’s environment, or after they have forwarded the email contents to others), the sender will need to prove that the breach did not happen on their watch.

The Best Protection Via Encryption

Per GDPR, a data breach is when the data is:

(a) Within the sender’s control (i.e., where the email is sent from sender to recipient)

(b) After the data leaves the sender’s control (i.e., if there is a data breach on the recipient’s system or after the recipient forwards the information on to others)

RMail encryption automatically delivers email in a unique way to each recipient, always creating the simplest user experience for the recipient while also returning auditable proof of privacy compliance to the sender. A notable aspect is it always go far beyond basic TLS and link-retrieval systems which store sensitive message content. So, if the default “Transmission level encryption” that automatically decrypts messages for the recipients does not work due to insufficient protection at the recipient’s end, RMail automatically reverts to AES 256-bit PDF encryption, the end-to-end encryption for secure delivery.

RMail also includes targeted spear-phishing detection specifically designed to prevent imposter email wire fraud, whaling, BEC attacks, and other lures. Plus, RMail’s “Auto Purge” feature ensures senders do not have to go back after sharing files to delete old folders or remove files from folders, improving security and compliance protections.


GDPR Registered Receipt


RMail can be easily integrated with Outlook, Gmail, and other email clients without the need for the sender to switch email clients. Additionally, RMail can also be integrated easily with some of the popular platforms like CleanDocs, Zimbra, Xerox, Salesforce, and Zola Suite.

GDPR Compliance Made Easier with RMail

Encrypting your data is a simple, proactive measure that you can take right now to comply with GDPR. A reliable and secure email encryption solution helps organizations to significantly reduce the cost of a data breach down the road.

RMail has been top rated for its security and auditable proof of compliance capabilities, besides offering the simplest user experience for the sender and recipient. Plus, it is much more affordable at scale. Try it now to send emails for free!