As the date for the General Data Protection Regulation (GDPR) to come into effect looms nearer, many businesses are still in the dark about what they need to do in order to be compliant. One area of particular concern is email encryption. Despite repeated warnings and advice from industry experts, many businesses are still not encrypting their emails, putting themselves at risk of hefty fines.
This article will explore the facts about GDPR and email encryption, and provide advice on how businesses can become compliant with the new regulations.
The General Data Protection Regulation is a new EU data protection law that came into effect on May 25th, 2018. The GDPR replaced the 1995 EU Data Protection Directive and strengthened EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals.
GDPR is a set of regulations that affects any company which processes the personal data of individuals within the European Union, no matter where the company is based. Unless a company can prove that they meet specific conditions, they must follow the GDPR if their business involves processing the personal data of people from the European Union.
Under GDPR, all businesses must take steps to protect the personal data of their customers and employees from unauthorized access, use, disclosure, or destruction. One way to do this is by encrypting emails.
Email encryption is the process of transforming readable text into an unreadable format using an algorithm. The purpose of email encryption is to protect the confidentiality of the information contained in the email from unauthorized access.
Email encryption is not required by GDPR, but it is considered to be an appropriate technical measure for protecting personal data. In order for email encryption to be effective, businesses must use a secure email encryption solution that meets certain standards.
There are two major categories of email encryption: asymmetric and symmetric.
Businesses must choose an email encryption solution that meets their specific needs. Factors to consider include the sensitivity of the information being transmitted, the number of people who need to access the information, and the level of security required.
Some email encryption solutions are easier to use than others. For example, PGP (Pretty Good Privacy) is a popular email encryption solution that uses asymmetric email encryption. However, PGP can be difficult to set up and use, and it is not compatible with all email clients.
Businesses must also consider how they will manage the keys used for email encryption. Key management is the process of creating, storing, and managing keys. Key management is a critical part of email encryption, and it must be done carefully to ensure the security of the encrypted data.
Since the GDPR came into effect, there have been a number of high-profile data breaches caused by businesses mistyping recipient email addresses.
In July 2018, the UK Information Commissioner’s Office (ICO) fined the British Council £120,000 for sending sensitive personal data to the wrong email address. The data included information about children, and it was sent to an employee of a third-party organization.
In September 2018, the ICO fined the British government £180,000 for sending sensitive personal data to the wrong email address. The data included information about prison inmates, and it was sent to an employee of a private company.
Another common mistake businesses make is failing to encrypt email attachments. Email attachments are often not encrypted, even when the body of the email is encrypted. This can lead to data breaches if the attachments are intercepted by a third party.
While the GDPR does not specifically prohibit employees from using their personal email accounts for work-related purposes, doing so can increase the risk of data breaches.
If an employee uses their personal email account to send work-related emails, and the account is hacked, the confidential data could be exposed.
Another common mistake businesses make is using cc rather than Bcc when sending emails. When an email is sent to multiple recipients, the cc (carbon copy) field includes all of the recipients’ addresses in the body of the email. This means that if one of the recipients forwarded the email to another person, all of the other recipients’ email addresses would be exposed.
The Bcc (blind carbon copy) field, on the other hand, does not include the recipients’ addresses in the body of the email. This means that if one of the recipients forwarded the email to another person, the other recipients’ email addresses would not be exposed.
Email messages are often stored on servers, and they can be accessed by anyone with access to the server. This means that if the server is hacked, the confidential data in the email messages could be exposed.
To protect email messages from being accessed by unauthorized individuals, businesses must encrypt them. Email encryption is the process of encoding email messages so that they can only be read by the intended recipient.
The GDPR has made email encryption a necessity for businesses. Email encryption provides businesses with a way to protect the personal data of their customers and employees from being accessed by unauthorized individuals.
By encrypting email communications, businesses can ensure that only authorized individuals have access to the information contained in the emails. In addition, email encryption can also help businesses to comply with other GDPR requirements, such as the need to provide customers with a way to access their personal data.