Guides & Opinions
Technology Guide to Meet GDPR Compliance for Data Privacy for Email
In Europe, the new European General Data Protection Regulation (GDPR) creates an environment
of heightened awareness of
data privacy issues. It also brings an enforcement framework with enough teeth to change the
way businesses that deal
with consumer data protect consumer privacy. GDPR defines what is to be achieved rather than
how the requirements should
be fulfilled. Consequently, it does not state a requirement to use a specific method of
encrypting email, but it does
require the handler of consumer non-public and personal information to maintain not only
privacy of that information,
but also the ability to demonstrate compliance with the privacy requirements. These
requirements are discussed detail in
GDPR Article 5 Clause 1(f) and 2, and Article 32 Clause 1(a) and 1(d) which focus on the
requirement to protect personal
data during transmission with the ability to demonstrate fact of protection of personal
data. An easy target for GDPR
enforcement is watching how organisations protect the privacy of information transmitted to
external parties. Email is
the primary means of business information delivery today. As such, privacy related to email
will be one of the principal
areas to be inspected in a compliance audit and, therefore, it will be essential for
regulated companies to retain
auditable proof of fact of private email transmissions. Why is “proof” important? There are
many ways to encrypt email,
nearly all of which make it more complicated for the intended receiver to review the
message. Therefore, a tendency for
senders, unless there is consequence, is to not use email encryption systems that are in
place and available for use.
The fact of an email encryption system being available for use is not fact of use. “Fact of
Use”, we believe, will be a
key criterion in regulatory audits, and in any case, a basis to protect organizations from
accusations of a data privacy
or GDPR compliance breach. This paper marks a significant contribution to the GDPR
compliance debate, by providing a
robust assessment of the concerns and a powerful methodology to guide practical compliance.
It also offers useful
parameters that an organization should consider in its selection of an appropriate solution
and a perspective on several
of the leading offerings.
