Excerpts from the “Technology Guide to Meet GDPR Compliance for Data Privacy for Email.” (Full Guide available from RPost.)
“In Europe, the new European General Data Protection Regulation (GDPR) creates an environment of heightened awareness of data privacy issues. It also brings an enforcement framework with enough teeth to change the way businesses that deal with consumer data protect consumer privacy. GDPR defines what is to be achieved rather than how the requirements should be fulfilled. Consequently, it does not state a requirement to use a specific method of encrypting email, but it does require the handler of consumer non-public and personal information to maintain not only privacy of that information, but also the ability to demonstrate compliance with the privacy requirements. These requirements are discussed detail in GDPR Article 5 Clause 1(f) and 2, and Article 32 Clause 1(a) and 1(d) which focus on the requirement to protect personal data during transmission with the ability to demonstrate fact of protection of personal data.
An easy target for GDPR enforcement is watching how organisations protect the privacy of information transmitted to external parties. Email is the primary means of business information delivery today. As such, privacy related to email will be one of the principal areas to be inspected in a compliance audit and, therefore, it will be essential for regulated companies to retain auditable proof of fact of private email transmissions.
Why is “proof” important? There are many ways to encrypt email, nearly all of which make it more complicated for the intended receiver to review the message. Therefore, a tendency for senders, unless there is consequence, is to not use email encryption systems that are in place and available for use. The fact of an email encryption system being available for use is not fact of use. “Fact of Use”, we believe, will be a key criterion in regulatory audits, and in any case, a basis to protect organizations from accusations of a data privacy or GDPR compliance breach.” Nick Hawke, Chief Executive Officer, Association of Professional Compliance Consultants in Foreword from the “Technology Guide to Meet GDPR Compliance for Data Privacy for Email”.
The following five evaluation categories (protection, utility, audit-ready compliance proof, empowering, and measurement) are the most important
elements of an email encryption technology or service considering the requirements in GDPR for protecting personal data; in particular Article 5 for security, confidentiality, and accountability, and Article 32 for encrypting and assessing the effectiveness of technical measures to ensure securing.
Article 5 Clause 1(f) calls for maintaining the confidentiality of personal data, stating, “personal data shall be processed in a manner that ensures appropriate security of the personal data…using appropriate technical or organisational measures (‘integrity and confidentiality’)”.
Article 5 Clause 2 creates the need to maintain demonstrable proof of compliance with the confidential treatment of personal data, stating, “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)”.
Article 32 Clause 1(a) specifies use of encryption to secure personal data, stating, “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data”.
Article 32 Clause 1(d) calls for regular assessments to ensure the security of the processing, stating, “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Considering these requirements, the combination of RMail email encryption plus RMail Registered Email™ services provide not only GDPR compliant privacy, but also GDPR audit-ready proof of privacy compliance on a message-by-message basis.
“As a growing accountancy practice we were looking for a secure email product at an affordable price to help us comply with GDPR. We chose RMail as it returns proof of fact of encrypted delivery to protect the organisation in the event of an external compliance inspection. After a quick and easy to follow training session, we were up and running in no time at all. RMail is easy and straightforward to use, with the knowledge that you are sending sensitive data securely to your clients. RMail is an excellent product and service.” — ACG Accounting Services, London, England (Member of the IFA). The Institute of Financial Accountants (IFA) endorses the use of RMail secure and certified electronic messaging services to support GDPR compliance.
RMail Registered E-mail™ Services and Evidence within the United Kingdom Legal System. Excerpt from legal analysis by Alan Shipman, Editor, British Standards Institution, BS 10008:2014 Evidential Weight and Legal Admissibility. (Full analysis is available from RPost).
Within the UK, the processing of personal data was governed by the Data Protection Act 1998 (and replaced by the EU General Data Protection Regulation on 25th May 2018). The current Act details conditions under which personal data can be legally processed. One of the conditions (the Eighth Data protection principle) states that personal data may not be processed outside the European Economic Area unless certain conditions apply.
In the case of RPost, some e-mail traffic may be diverted to computer systems installed within Europe. This is to retain legal processing status under the Data Protection Act 1998.
RPost’s Registered E-mail™ service automatically delivers a Registered E-mail™ receipt to the sender containing delivery details of the original message, proof of content and official time stamp. The RPost Registered E-mail™ service also enables a stored message to be authenticated at a later date, anywhere a challenge may occur with respect to delivery, time or the content of a Registered E-mail™ message. This service functions independent of any action by the recipient.
The authentication / verification of a Registered E-mail™ message will include the date and time of sending and receiving, the title and contents of the e-mail message, and all attachments. This registration and authentication / verification process is performed by RPost without storing the original e-mail message as the complete transaction is recorded and imbedded digitally within the Registered Receipt e-mail that is returned to the sender for safekeeping.
As this authentication process is available independently to both the sender and the recipient of a Registered E-mail™ message, any contention as to the original contents of the e-mail can be resolved without doubt. By RPost’s inclusion of a trusted time stamp with the original Registered E-mail™ message, the date and time of the sending and receiving of a message can be demonstrated without doubt.
BRITISH STANDARD COMPLIANCE PROVISION
BS 10008:2014 and the aligned Code of Practice (BIP 0008-2:2014, Annex A) discusses the advantages of e-mail systems that include a proof-of-delivery option. The Code of Practice notes that “whilst the receipt of such a confirmation message may be trustworthy, the absence of such a receipt may not be reliable evidence as to either delivery or non-delivery”.
It is important to note that the RPost “proof of delivery” capability speaks directly to this provision. Every Registered E-mail message generates an automatically returned Registered Receipt™ e-mail that contains the contents of the original e-mail and any attachments, held in an encrypted form incorporated into the receipt (note, RPost does not store a copy of the e- mail or receipt, or encrypted data associated with the e-mail or receipt). The encryption key can only be deciphered by RPost, thus securing the contents of the receipt. The receipt also confirms the delivery status and official time stamp of both sending and receiving of the original e-mail message. The Registered Receipt™ e-mail is a digital snapshot of the server-to- server conversation that surrounds the sending and receiving (or possible non-receipt) of the e-mail and itself can be used to regenerate an authenticated original e-mail (and all attachments) should a subsequent challenge arise. The delivery status will reflect a minimum of “delivery to mail-server” (or “delivery failure”) but could show “delivery to mailbox” and “opened” wherever possible. It should be noted that an absence of a receipt, or an absence of a “date and time of opening” entry does not prove that the e-mail was never received / opened.
To further enhance the potential evidential weight of an e-mail, the RPost system provides a mechanism for demonstrating the authenticity of a stored e-mail. This authentication can take place any time after the Registered Receipt e-mail has been received by the sender – the original message can be re-authenticated at any time. Thus, even where the content of a stored e-mail has been changed (either inadvertently or maliciously), the e-mail can be independently authenticated by forwarding the Registered Receipt e-mail to RPost where it is unlocked and used for verification purposes. Where doubt occurs with an authenticated e- mail, a re-authentication could be performed ‘in front of the court’ if necessary to provide the strongest test possible of the validity of the evidence contained within the e-mail under question.