Ever since the European Union’s privacy law, General Data Protection Regulation (GDPR), came into effect on May 25, 2018, it has become a platinum standard for email privacy and compliance. Though it didn’t kill email as the doomsayers predicted, it continues to be a cause of headache for some organizations when it comes to collecting, storing and sharing personally identifiable information over email.
GDPR has raised the bar to a higher standard of consent for subscribers based in the EU and redefined the rules - meaning how you have collected consent from EU subscribers in the past is not compliant anymore. Also, though the UK left the EU on December 31, 2021, it came out with its own version known as the UK-GDPR, which took effect on January 31, 2020.
In the past most of us never thought of email as subject to privacy compliance but our mailboxes in fact contain a trove of personal data - from names and email addresses to attachments and conversations about people. All of this is covered by the GDPR’s strict new requirements on data protection. Any non-compliance can hit you with a fine of €20 million or 4% of global revenue, whichever is higher, plus compensation for damages.
So, what does GDPR say about email compliance for your EU and UK clients? In this article, we are going to focus specifically on email compliance related to digital security.
First off, any organization – companies, micro-enterprises, charities – that handle personal information of EU and the UK citizens is subject to GDPR. And this includes not just organizations within the EU or the UK but organizations across the globe offering goods or services to people there.
GDPR’s email compliance is focused on three core matters:
One common thread connecting all is data protection, and by extension, email security. GDPR presented an enormous challenge for businesses to bolster their digital security defenses, and one of the data protections measures wholeheartedly recommended include email encryption!
There are several instances where encryption is cited in GDPR as a protective measure to secure the data in emails:
So, per these clauses, any email you send containing personal data, is subjected to GDPR. The regulation stipulates encrypting such data when it comes to maintaining a record of ‘proof of data privacy compliance’ and automated, demonstrable proof on a message-by-message basis with accountability being a key requirement. It also applies to the collection and storage of any data of people in the EU and the UK, whether you are a European business or based outside Europe.
This goes on to prove that if you use encryption, you have an obvious reliable way to prove compliance to GDPR.
Per GDPR stipulation, any personally identifying information needs to be encrypted to prove compliance. But what constitutes personal data? Basically, anything that can identify an EU or UK resident or citizen, such as:
While talking about email encryption, it is often assumed that protection must be applied while sending an email. But the GDPR email compliance is more than that. The data must be encrypted in transit (traveling from one network to the other) as well as at rest (sitting in files or databases).
Now that we know about encryption at rest and encryption in transit, let us deep dive into five evaluation categories considered as the most important elements of an email encryption technology or service.
Category #1 Protection
Category #2 Utility
Category #3 Audit-Ready Compliance Proof
Category #4 Empowering Users
Category #5 Measurement
Can you think of an email service which meets all these technology criteria and delivers complete GDPR compliance? RMail, a global email security solution from RPost, comes to mind!
RMail has one of the best approaches when it comes to simplifying the user experience and yet permitting automated fallback options, in case another method of secure delivery is required, or desired on a message-by-message basis. Let’s see how.
A sender just needs to install a simple plug-in to start using RMail right away – no complicated setups or multiple steps, which encourages more adoption. Similarly, the recipient does not need to install or download anything. They will receive a secure message from the sender in their inbox with a “Registered Email” and “Encrypted” markings in the subject and banner with guided instructions, so the email stands out, indicating that the message is encrypted.
Depending on the “encryption” settings selected by the sender, the recipients can either just click the file to read the message or enter a password shared by the sender to decrypt messages. RMail also offers recipients the option to set their own password to decrypt. The recipients can reply securely as well.
RMail ensures privacy even in the extreme event of the recipient mailbox being hijacked, with the messages and attachments remaining encrypted-at-rest in the recipient inbox. The attachments can be opened outside the email inbox in any browser or PDF reader. They are embedded inside the encrypted PDF, which is also accessible from a button, and are digitally signed.
Email services often battle the “secure encrypted email dilemma,” meaning how to deliver the message securely without negating key benefits of email – simplicity and ubiquity. There is often a trade-off between security and simplicity – and often “simplicity” loses the battle. RMail is over these limitations as it offers top-rated email encryption without confusing the users with complexity.
RMail ensures there is no “halfway” when it comes to compliance and gives the sender an auditable record of precisely what message content (body text and attachments) was in fact sent and received in an encrypted manner to each intended recipient. For some notices, it will also tell you precisely when the message was received and opened – all through a forensic audit trail with court-admissible, timestamped proof in the form of a “Registered Encryption Receipt.”
In case of any dispute, anyone in possession of this receipt is able to verify the authenticity of the data it contains, instantly and on-demand. RPost’s cryptographic methods are used to determine if information in the receipt has been altered, employing hash algorithms and RSA/PKI signatures.
This is extremely important, because in a data breach after the email has reached the recipient (in the recipient’s environment, or after they have forwarded the email contents to others), the sender will need to prove that the breach did not happen on their watch.
Per GDPR, a data breach is when the data is:
(a) Within the sender’s control (i.e., where the email is sent from sender to recipient)
(b) After the data leaves the sender’s control (i.e., if there is a data breach on the recipient’s system or after the recipient forwards the information on to others)
RMail encryption automatically delivers email in a unique way to each recipient, always creating the simplest user experience for the recipient while also returning auditable proof of privacy compliance to the sender. A notable aspect is it always go far beyond basic TLS and link-retrieval systems which store sensitive message content. So, if the default “Transmission level encryption” that automatically decrypts messages for the recipients does not work due to insufficient protection at the recipient’s end, RMail automatically reverts to AES 256-bit PDF encryption, the end-to-end encryption for secure delivery.
RMail also includes targeted spear-phishing detection specifically designed to prevent imposter email wire fraud, whaling, BEC attacks, and other lures. Plus, RMail’s “Auto Purge” feature ensures senders do not have to go back after sharing files to delete old folders or remove files from folders, improving security and compliance protections.
RMail can be easily integrated with Outlook, Gmail, and other email clients without the need for the sender to switch email clients. Additionally, RMail can also be integrated easily with some of the popular platforms like CleanDocs, Zimbra, Xerox, Salesforce, and Zola Suite.
Encrypting your data is a simple, proactive measure that you can take right now to comply with GDPR. A reliable and secure email encryption solution helps organizations to significantly reduce the cost of a data breach down the road.
RMail has been top rated for its security and auditable proof of compliance capabilities, besides offering the simplest user experience for the sender and recipient. Plus, it is much more affordable at scale. Try it now to send emails for free!
At RPost, we simply can’t afford to make you enter a support queue. Or upcharge for each
feature. Or not be the most affordable. Or not continuously innovate so that we can
always be the most feature-rich while easy to use. We can’t be anything less than the
best e-sign and e-security product with the best people and service to support you.
Obviously, the thing we try hardest at is just to be there for you. To start you out right with new services that are easy to use, work well and have the features you need now (and will need in the future). We will give you the training and attention your team needs from a support staff that makes us proud every day.
Why do we do this? Because we’ve learned over the last 20 years in this business that our customers are counting on us every day. Because we live and breathe security and process optimization. Because we can’t afford to take you for granted. We try harder to ensure your success.
We’re helping The Doctors Company keep your doctor focused on cures by simplifying private communications.Read More
We’re helping Euronext make markets operate efficiently, securing safe wealth creation opportunities for you.Read More
We’re helping the United Nations’ WIPO protect your intellectual property to maintain order worldwide.Read More