Should emails be encrypted under GDPR

Effects of the GDPR on email security

Email security

, Munich, SonicWall | Author: Herbert Wieler

Is your email security ready for EU GDPR?

On May 25, 2018, the European Union (EU) will introduce its General Data Protection Regulation (EU-DSGVO / GDPR).

The GDPR contains a number of regulations that are intended to protect the collection, storage and management of personal data in the EU. Failure to comply with the EU GDPR regulation should lead to severe penalties (max. 20 million or 4% of sales).

According to the Infowatch Global Data Leakage Report from 2016, which is unlikely to have changed much by now, emails are the second largest threat channel for emerging data abuse.

An early check of the current e-mail security with regard to the upcoming GDPR cannot hurt.

Some key element of the GDPR

  • The GDPR applies to all organizations that process personal data of EU residents, regardless of the location of the organization.
  • The violation report is mandatory and must be made within 72 hours of the occurrence of the data abuse.
  • EU residents have the right to receive confirmation as to whether, where and for what purpose personal data about them is being processed.
  • The right to “be forgotten” entitles users to prohibit the deletion and further dissemination of their personal data.
  • Data protection through design requires the inclusion of data protection right from the start of the system design, not just with a subsequent addition.

What does this mean for a company's email security?

Implications of the GDPR on the email system

  • All information containing personal e-mail addresses, telephone numbers, addresses, etc. is classified as personal data, mostly used for marketing purposes.
  • Organizations such as retail, finance, and healthcare are likely to face greater complexity in handling personal data to comply with regulations.
  • In order to implement suitable technical measures to fulfill "privacy by design", organizations must incorporate appropriate e-mail encryption and compliance functions into their e-mail security infrastructure.

In order to comply with the regulations and to achieve a positive evaluation of the email security, the following guidelines must be observed:

  • A comprehensive, multi-layered approach that offers strong inbound and outbound protection
  • Sandbox and quarantine unknown email attachments to prevent violations
  • Strong encryption and DLP for compliance and regulatory requirements