Excerpts from the “Technology Guide to Meet GDPR Compliance for Data Privacy for Email.” (Full Guide available from RPost.)
“In Europe, the new European General Data Protection Regulation (GDPR) creates an environment of heightened awareness of data privacy issues. It also brings an enforcement framework with enough teeth to change the way businesses that deal with consumer data protect consumer privacy. GDPR defines what is to be achieved rather than how the requirements should be fulfilled. Consequently, it does not state a requirement to use a specific method of encrypting email, but it does require the handler of consumer non-public and personal information to maintain not only privacy of that information, but also the ability to demonstrate compliance with the privacy requirements. These requirements are discussed detail in GDPR Article 5 Clause 1(f) and 2, and Article 32 Clause 1(a) and 1(d) which focus on the requirement to protect personal data during transmission with the ability to demonstrate fact of protection of personal data.
An easy target for GDPR enforcement is watching how organisations protect the privacy of information transmitted to external parties. Email is the primary means of business information delivery today. As such, privacy related to email will be one of the principal areas to be inspected in a compliance audit and, therefore, it will be essential for regulated companies to retain auditable proof of fact of private email transmissions.
Why is “proof” important? There are many ways to encrypt email, nearly all of which make it more complicated for the intended receiver to review the message. Therefore, a tendency for senders, unless there is consequence, is to not use email encryption systems that are in place and available for use. The fact of an email encryption system being available for use is not fact of use. “Fact of Use”, we believe, will be a key criterion in regulatory audits, and in any case, a basis to protect organizations from accusations of a data privacy or GDPR compliance breach.” Nick Hawke, Chief Executive Officer, Association of Professional Compliance Consultants in Foreword from the “Technology Guide to Meet GDPR Compliance for Data Privacy for Email”.
The following five evaluation categories (protection, utility, audit-ready compliance proof, empowering, and measurement) are the most important
elements of an email encryption technology or service considering the requirements in GDPR for protecting personal data; in particular Article 5 for security, confidentiality, and accountability, and Article 32 for encrypting and assessing the effectiveness of technical measures to ensure securing.
Article 5 Clause 1(f) calls for maintaining the confidentiality of personal data, stating, “personal data shall be processed in a manner that ensures appropriate security of the personal data…using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
Article 5 Clause 2 creates the need to maintain demonstrable proof of compliance with the confidential treatment of personal data, stating, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”.
Article 32 Clause 1(a) specifies use of encryption to secure personal data, stating, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data”.
Article 32 Clause 1(d) calls for regular assessments to ensure the security of the processing, stating, “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Considering these requirements, the combination of RMail email encryption plus RMail Registered Email™ services provide not only GDPR compliant privacy, but also GDPR audit-ready proof of privacy compliance on a message-by-message basis.
“As a growing accountancy practice we were looking for a secure email product at an affordable price to help us comply with GDPR. We chose RMail as it returns proof of fact of encrypted delivery to protect the organisation in the event of an external compliance inspection. After a quick and easy to follow training session, we were up and running in no time at all. RMail is easy and straightforward to use, with the knowledge that you are sending sensitive data securely to your clients. RMail is an excellent product and service.” — ACG Accounting Services, London, England (Member of the IFA). The Institute of Financial Accountants (IFA) endorses the use of RMail secure and certified electronic messaging services to support GDPR compliance.
RPost’s Registered E-mail™ service automatically delivers a Registered E-mail™ receipt to the sender containing delivery details of the original message, proof of content and official time stamp. The RPost Registered E-mail™ service also enables a stored message to be authenticated at a later date, anywhere a challenge may occur with respect to delivery, time or the content of a Registered E-mail™ message. This service functions independent of any action by the recipient.
The authentication / verification of a Registered E-mail™ message will include the date and time of sending and receiving, the title and contents of the e-mail message, and all attachments. This registration and authentication / verification process is performed by RPost without storing the original e-mail message as the complete transaction is recorded and imbedded digitally within the Registered Receipt e-mail that is returned to the sender for safekeeping.
As this authentication process is available independently to both the sender and the recipient of a Registered E-mail™ message, any contention as to the original contents of the e-mail can be resolved without doubt. By RPost’s inclusion of a trusted time stamp with the original Registered E-mail™ message, the date and time of the sending and receiving of a message can be demonstrated without doubt.
This authentication process also provides audit-ready proof of encrypted delivery to each recipient.