GDPR Email Compliance

A Brief Guide to GDPR Email Compliance

The EU´s General Data Protection Regulation (“GDPR”) comes into force in May. It is a comprehensive regulation affecting every business that collects, processes or stores the personal data of EU citizens – including employee data. The failure to comply with GDPR carries substantial penalties, even if there has not been an unauthorized disclosure of personal data.

This brief guide to GDPR email compliance focuses on emails in particular because it is the most frequently-used channel through which data enters a business, is shared and stored. For the purpose of clarity, the guide applies to both external and internal communications, and the threats that exist to the integrity of GDPR-covered data – of which there are quite a lot.

GDPR-Covered Data in Emails

One of the problems with GDPR email compliance is there is no definitive list of what GDPR-covered data is. This is due to lists of data becoming out of date as new data types are introduced. Typically there are more data types in an email than in any other form of electronic communication once you include metadata hidden within email headers. This is why emails should get special attention.

As a rule of thumb, any element of an email that can be used to identify an individual – either directly or indirectly (for example, an IP address) – is GDPR-covered data and has to be collected, processed and stored according to GDPR rules. Effectively every email that passes through a business´s mail server should be secured in order to achieve GDPR email compliance. Secured email archiving is also recommended.

The Threats to GDPR Email Compliance

Before discussing solutions to secure email communications, it is a good idea to identify the threats businesses need to secure them against. Many businesses believe the majority of threats originate from outside, but this is not necessarily the case. Multiple IT security reports have demonstrated that, when you combine breaches caused by malicious and inadvertent insiders, the threats to GDPR email compliance are far greater inside a business than outside a business.

The majority of IT security reports include phishing as an insider threat – indeed most include it as the #1 threat to GDPR email compliance. Further insider threats are attributable to the actions of malicious employees or negligent employees, who rank high among most risk statistics due to the number of emails containing sensitive data that are sent to the wrong address. There are also security issues when employees accesses data from an unsecured device.

Solutions to Secure Email Communications

There are two key solutions to secure email communications that every business should consider. The first is an email archiving solution that indexes, encrypts and archives email as they pass through the mail server. It is important the email archiving solution is done immediately to avoid the unauthorized modification or deletion of emails before a copy is secured. It is also important the archiving process creates an audit trail in order to identify when and by whom archived emails are accessed.

The second key solution to secure email communications is an GDPR-compliant email filter with malicious URL detection. Malicious URL detection is important because the filter checks links contained within emails to identify those that redirect employees to phishing websites. By preventing employees from visiting phishing websites, businesses not only protect the integrity of email data, but can also mitigate the threats of malware and ransomware attacks – thus reducing threat levels from both insider and external actors.

The two solutions supported by effective security training will substantially mitigate the threats to GDPR email compliance. Furthermore, should a breach of GDPR-covered data occur, the preventative measures taken by the business will count in their favor when GDPR Supervisory Authorities are assessing the any fine to be issued. In this respect, the amount a business can save by implementing an email archiving solution and an email filter with malicious URL detection can be significant.