Skip to main content

GDPR and email

According to GDPR and other international regulations on personal data, you are responsible for protecting people’s data. This post is about email security and how to protect personal data when emailing. You will receive a checklist for what to remember when sending and receiving emails in accordance with GDPR.


Email of personal data

Email and personal data are two important aspects of our modern digital working life. E-mail allows us to communicate and exchange information over the Internet effectively. Emails can contain personal information such as names, contact information, and even confidential information such as credit card information or passwords. It is therefore important to be aware of security measures to protect personal data when using e-mail. Personal data refers to any information that can identify a person directly or indirectly. This can include names, addresses, phone numbers, dates of birth, email addresses and more.

Unfortunately, mail is also a service where there is a high risk of personal data – either intentionally or unintentionally – ending up in the hands of unauthorized persons. To protect personal data when using e-mail, there are some important steps you can follow.


Email security and compliance checklist

Getting your company’s email ready for safe data sharing is an important part of compliance with data privacy regulations, since email is still the most common way your employees will communicate with customers, vendors, partners, and each other.

Make sure you:

1. Get a good practice for sharing and collecting data by email 

Email data breaches can be either accidental or intentional. Accidental email data breach occurs when someone, for example: 

  • Sends an email to the wrong person 
  • Attaches the wrong document to an email 
  • Uses the CC field rather than the BCC field 
  • Forwards an email thread they don’t realize contains personal information in the message body or attachments 

Intentional email data breaches may or may not be malicious. Here are some examples: 

  • You send or accept personal data by regular mail without encryption  
  • An employee reuses your leads’ emails and other personal data at a new job  
  • Someone leaks personal data for financial gain or to harm your company 

Establishing solid but easy-to-follow protocols for email data sharing for your whole company can increase awareness of data privacy and prevent data leaks and breaches.  


2. Protect data at rest and in transit with state-of-the-art security 

Keeping in mind that the GDPR and other regulations require you to use appropriate technical measures to prevent data loss and leaks, your email security features should include: 

  • Encryption – so data ends up with the right recipient
  • Transport Layer Security (TLS) – to keep data safe in transit 
  • Multi-factor authentication – to verify the recipient’s identity 
  • Access restriction – to protect data at rest 
  • Data retention limits – to minimize your liability risk 


3. Get consent before accepting data by mail

Regulations require you to have a lawful basis for collecting data. In most cases, this should be in the form of freely given consent from the data owner/data subject. The consent you obtain from someone before accepting their data by email should be:  

  • Informed. Easy to read and understand for the data subject. 
  • Voluntary. Freely given by the data subject. 
  • Explicit. An unambiguous indication of the data subject’s wishes. 


4. Document your compliance in case of audit by logging each share and request 

Keep a record to demonstrate that you protect your customers’ personal data. You should be able to show: 

  • A log of the personal info you’ve shared and collected
  • How long personal data is kept 
  • Copies of the consents you’ve obtained 


Get ShareSimple FREE for one user today!

The best software for email security

Here are a few options for email security:

  • Certificate-based solutions. This option requires installation on both sides.
  • Tunnel mail. A Danish concept, with a secure tunnel established between two companies. It requires installation on both sides, and it cannot reach consumers.
  • A safe email portal. This is the solution we recommend. It does not require certificates or special installation.

The best solution for email security is the one your employees will use every time they share or collect personal data. It should work where your team does, whether that is in the office, on the road, or remotely. It must be fast and easy enough to use for all types of files (including large files). It should be easy to use, at any time, from any place, so that your employees will not be tempted to bypass it occasionally to save time.


This is how we can help you send mail with sensitive content

Our solution, ShareSimple, is an email portal that makes it safe to share files via Outlook. With ShareSimple, you can have full confidence that your files are protected with encryption, multi-factor authentication, access restriction, etc. when you send emails.

Read more about ShareSimple

Sebastian Allerelli

Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →