Email is the most popular and commonly used communication channel in the business world. While email has significantly eased business communication, yet it is highly vulnerable to cyberattacks. In most cases, email is the first point of entry for cyber-attacks. So, email security becomes crucial when it comes to data protection.
From a GDPR Compliance standpoint, e-mail is highly prone to Compliance violations, for it is the primary business communication channel which is widely used for sharing and storing Personal Data. Currently, email stands as the number one threat to cybercrime exploitation. Emails often contain Personal Data with information of identifiable individuals.
Apart from the actual email messages itself, Personal Data is often sent in an attachment to an email. For these reasons, companies must protect Personal Data stored in emails. In today’s article, we will be providing you all the details you need to know about GDPR Compliance and email security. So, before we move on let us first understand the impact of GDPR on email.
Statistics suggest that nearly over 100 emails related to work are sent daily by email users. While most may assume email is not subjected to GDPR, but it largely comprises of Personal Data. From names, email addresses, contact details to attachments, and conversations about people, a lot of Personal Data come under the ambit of GDPR requirements on data protection.
As a channel of communication, it poses a huge risk of a data breach. So, under the GDPR requirements, if a cloud-based email provider is used, for transferring Personal Data, the service provider also needs to be Compliant with GDPR. Further, if the cloud-based servers to which the data transferred via third-party falls outside of the EU, it still needs to be GDPR Compliance.
In short, any organization deals with Personal Information will be subjected to the GDPR. While most often the focus is on GDPR email requirements that revolves around email marketing and spam, there are other essential aspects such as email encryption that needs to be focused on. So, let us understand what GDPR means for email security.
Data erasure is an important part of the GDPR. It is one of the six data protection principles that clearly states that Personal Data cannot be stored for longer than it is necessary for the purposes deemed to be processed. Data erasure is also one of the consumer rights protected by the GDPR under the “right to be forgotten” rule.
More than often, people retain emails to refer to as a record for some activity in the future. But they fail to realize that the more data they keep, the greater is the risk of a data breach and higher is the liability. Moreover, it is now a mandate under the GDPR Compliance for organizations to ensure the erasure of unwanted Personal Data.
So, organizations are expected to periodically review their email retention policy to reduce the amount of data employees store in their mailboxes. Organizations are required to have in place appropriate policies that state the deletion of mails beyond a certain time to ensure data protection obligations under the GDPR. Organizations can ensure automated deletion of emails by setting an expiry date up to a certain timeframe. This will significantly lower the chances of non-compliance with GDPR.
Article 5 under the GDPR Compliance clearly states that the use of Personal Data should be lawful, fair, and transparent. There are six lawful bases (Consent, Performance of a Contract, Legitimate Interest, Vital Interest, Legal Requirements and Public Interest) for organizations to process Personal Data as listed under Article 6. Organizations must obtain consent based on unambiguous details which you have to provide to the consumer on your plans of using their data.
Further, organizations should have documents evidencing consent. Organizations should have a legit reason to process Personal Data. In context to e-privacy directives in Article 13, an organization may use electronic contact details for direct marketing of its products or services. But, provided customers are clearly and distinctly allowed opt-out of it. So, organizations can lawfully send marketing emails about their goods and services if they give you an option to opt-out at any time and there is the option to unsubscribe in every communication.
GDPR law does not intend to ban email marketing by any means. But the law ensures it is done in the interest of its consumers and citizens of the EU. GDPR requires organizations to get consent from people with an affirmative opt-in, to be able to send mails. It also states that the organization should provide an opportunity for opt-out anytime a person wishes to in the future. Violation under GDPR is only when an organization advertises without the person's consent and when an option to unsubscribe is not given, will be liable for the penalty.
Another essential email aspect under the GDPR includes email security. Article 5 clearly states that organizations are required to protect Personal Data against accidental loss, destruction, or damage, by having in place appropriate technical or organizational measures.
Organizations should have in place appropriate measures including internal policies, management, and training programs. Most cyber-attacks happen due to phishing emails which hackers use to gain access to an account or device. Employees should be aware of such frauds and ensure that links and attachments from unknown accounts should not be clicked or downloaded. Organizations may face huge penalties if they do not implement appropriate technical and organizational measures.
GDPR applies to an organization that collects, stores, or processes Personal Data of citizens in the EU. This means organizations must change the way it operates and runs the business. Article 5 of the GDPR outlines a list of principles on data protection that organizations must adhere to for achieving compliance. This includes the adoption of appropriate technical measures to secure data. Encryption and Pseudonymization are two technical measures cited in the requirements of GDPR to minimize the potential damage in an event of a data breach. Encryption should be applied not just to Data at Rest but also Data in Motion.
Encryption is the most feasible yet effective option for securing emails. Email encryption technology has today rapidly developed facilitating end-to-end encrypted email service. With encryption technology, a Cloud-based secure email is now an option worth implementing. Organizations are expected to implement the best data security practice to secure email.
While the GDPR clearly outlines requirements for maintaining email security, we strongly recommend organizations to run a comprehensive audit of email service providers and investigate the contractual arrangements, and terms of service to ensure they are GDPR Compliant.
Organizations should also investigate its internal controls, policies, and measures to ensure that Personal Data processed by them via email is done in accordance with GDPR Compliance. Moreover, since email is highly prone to risk and exposure to a data breach, organizations must ensure end-to-end encryption of email and have other appropriate measures in place that prevents incidents of a data breach.
Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting, and certification services which include GDPR Compliance & Audit, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.