In 2018, the General Data Protection Regulation (GDPR) came into effect to protect the private and sensitive information of EU citizens. Compliance to the regulation saves companies from being fined up to €20 million or 4% of their annual global turnover (whichever is greater).
Emails, in particular, pose a great threat to data security, given the sheer amount of messages passed from one inbox to another, as well as the number of data leaks stemming from email security breaches.
If your company handles sensitive information of EU residents, how do you make sure that you can email their data securely?
GDPR defines personal data as “any information which are [sic] related to an identified or identifiable natural person”.
This must be interpreted as broadly as possible, including information assigned to a person (e.g. name, address, IP addresses, credit card, etc), as well as information that will allow you to identify someone even if you don’t know their name (e.g. biometrics).
Emails contain a treasure trove of personal information, often staying in mailboxes for years. With this form of communication specifically, GDPR states that you need to do the following:
Note that GDPR is not only applicable to personal data you’ve collected after it was implemented. The regulations apply to everyone in your email list, regardless of when you got their information. It also doesn’t matter if your company is not within EU borders; as long as you have data of EU residents, you are mandated to comply with GDPR.
If your company stores and processes data of EU residents, the onus is on you to make sure that your organisation emails personal data securely. Here are the steps you can take:
By September 2019, more than a year after GDPR’s implementation, only 28% of companies worldwide are fully compliant. If, at this point, you haven’t yet created a GDPR-compliant system, it’s time to do so, as the complexity involved in the new regulations is often cited as the top barrier to compliance.
Also, keep in mind that some of the regulations are time-sensitive (e.g. identifying and reporting breaches within 72 hours). In case you do get attacked, you need to have a process in place so you can respond quickly and effectively.
Email hardening refers to the process of securing your emails by reducing its vulnerability to cyber attacks. There are several ways you can do this:
The EU highly recommends encrypting emails as the most feasible option for GDPR compliance. In fact, GDPR.eu relies on the encryption services of the world’s largest email service, ProtonMail.
Encryption has gone a long way within the last five years, making it possible for a lot of vendors to now offer encrypted emails between sender and recipient. This technology prevents third parties from reading the content of each message.
However, understand that encryption comes with some downsides for businesses. Both sender and recipient need to use compatible software to read the email. It’s not easy to use, so only encrypt messages that are truly sensitive.
Regardless of how high-tech your security system is, people’s email practices can still put data at risk. Train your team to identify phishing scams, dangerous files, and even as simple as sending emails to the wrong recipient. Creating a security-conscious culture can go a long way to protecting the private information of your customers.
Cyber security attacks get more sophisticated by the day. If you let your IT team test your system regularly, you’ll be able to spot any vulnerabilities you may have missed or need updating.
GDPR requires companies to step up their security systems and policies, especially when handling personal data through emails. If you want to make sure that your emails are secure and GDPR-compliant, give our Bristol IT support team a call at 0117 369 4335.