Skip to main content

GDPR email security

The GDPR and other global privacy regulations inspired by it make you responsible for protecting people’s data. Let’s look at some key points from privacy regulations that apply to email security, then go over a basic checklist to set up for safe, compliant email data sharing. 


Article 5 of the GDPR requires personal data to be protected “against accidental loss, destruction or damage, using appropriate technical or organizational measures” such as encryption and pseudonymization of personal data. 


Under California’s CCPA, even if a breach does occur, if you use encryption, your company’s liability and potential fines will be reduced. Consumers can bring a lawsuit against your company if their unencrypted or unredacted personal data is exposed in a breach if you cannot demonstrate that you were taking steps to protect against such breaches.  


Canada’s data privacy laws require you to “Protect all personal information (regardless of how it is stored) against loss, theft, or any unauthorized access, disclosure, copying, use or modification.” Use appropriate security safeguards to provide the necessary protection. up-to-date technological tools (e.g., passwords, encryption, firewalls and security patches);” 


China’s PIPL requires companies to “implement technological solutions to ensure data security” and to conduct audits of their processing activities. 

Other regulations

We have only listed a few, but most data privacy laws follow this pattern of requiring companies to use technology and security software to protect personal and sensitive data you share and collect.

Along with proper security, when collecting data, you should also get consent to process it.  And you should always be able to demonstrate compliance with documentation. Failure to do so can bring heavy fines and may expose you to legal action. 

Privacy regulations

Getting your company’s email ready for safe data sharing is an important part of compliance with data privacy regulations, since email is still the most common way your employees will communicate with customers, vendors, partners, and each other.

Make sure you:

  • Set up a safe, standard way for your whole team to share and collect data by email 
  • Protect data at rest and in transit with state-of-the-art security 
  • Get consent before accepting the data you request by email 
  • Document compliance in case of audit by logging each share and request

Let’s take a look at these points one by one.

Email security and compliance checklist

Set up a safe, standard way for your whole team to share and collect data by email 

Email data breaches can be either accidental or intentional. 

Accidental email data breach occurs when someone, for example: 

  • Sends an email to the wrong person 
  • Attaches the wrong document to an email 
  • Uses the CC field rather than the BCC field 
  • Forwards an email thread they don’t realize contains personal information in the message body or attachments 

Intentional email data breaches may or may not be malicious. Here are some examples: 

  • You send or accept personal data by regular mail without encryption  
  • An employee reuses your leads’ emails and other personal data at a new job  
  • Someone leaks personal data for financial gain or to harm your company 

Establishing solid but easy-to-follow protocols for email data sharing for your whole company can increase awareness of data privacy and prevent data leaks and breaches.  

ShareSimple provides a safe, standard data-sharing process for your whole team. Try it → 

Protect data at rest and in transit with state-of-the-art security 

Keeping in mind that the GDPR and other regulations require you to use appropriate technical measures to prevent data loss and leaks, your email security features should include: 

  • Transport Layer Security (TLS) to keep data safe in transit 
  • Multi-factor authentication to verify the recipient’s identity 
  • Access restriction to protect data at rest 
  • Data retention limits to minimize your liability risk 

ShareSimple provides state-of-the-art email security. Get it from the AppSource store → 

Get consent before accepting data by email 

Regulations require you to have a lawful basis for collecting data. In most cases, this should be in the form of freely given consent from the data owner/data subject. The consent you obtain from someone before accepting their data by email should be:  

  • Informed. Easy to read and understand for the data subject. 
  • Voluntary. Freely given by the data subject. 
  • Explicit. An unambiguous indication of the data subject’s wishes. 

When you request data from someone by email, make sure you get consent at the same time. ShareSimple’s secure request option comes with pre-drafted, customizable consent forms that get consent automatically before accepting personal data. 

Document your compliance in case of audit by logging each share and request 

Keep a record to demonstrate that you protect your customers’ personal data. You should be able to show: 

  • A log of the personal info you’ve shared and collected
  • How long personal data is kept 
  • Copies of the consents you’ve obtained 

Keeping such a log manually is probably unrealistic. Make sure that logs and documentation are built into your email security tools. ShareSimple logs all activity in case of audit. Try it free → 

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    The best software for email security

    Here are a few options for email security: 

    • Certificate-based solutions. This option requires installation on both sides. 
    • Tunnel mail. A Danish concept, with a secure tunnel established between two companies. It requires installation on both sides, and it cannot reach consumers. 
    • A safe email portal. This is the solution we recommend. It does not require certificates or special installation.

    The best solution for email security is the one your employees will use every time they share or collect personal data.

    It should work where your team does, whether that is in the office, on the road, or remotely.  

    It must be fast and easy enough to use for all types of files (including large files).

    It should be easy to use, at any time, from any place, so that your employees will not be tempted to bypass it occasionally to save time.  

    Try ShareSimple

    Try Safe Online’s user-friendly email security add-in for Microsoft emails, ShareSimple. ShareSimple lets you share personal and sensitive data securely, right in Outlook.  

    ShareSimple opens as a secure window in a new message with options to share or request data

    Instant setup  

    No certificates  


    ShareSimple is available to try for free from the AppSource store.

    It is the easiest way to get the email security you need to comply with the GDPR and other regulations. 

    1. Get the add-in from Microsoft AppSource
    2. Start a new message
    3. Open the secure ShareSimple window

    Drag and drop files, add a note, or create a quick and secure data request form.

    Easy drag-and-drop file sharing
    Layers of customizable security

    Share and request data quickly with anyone, regardless of their email server or where they are in the world. ShareSimple satisfies the email security and compliance requirements we’ve just gone over, because it: 

    Provides a safe, standard way for your whole team to share and collect data  

    Protects data at rest and in transit with state-of-the-art security 

    Gets consent automatically before accepting the data you request by email 

    Logs all activity in case of audit 

    Talk to your management about getting ShareSimple for your whole team, or try it now → 

    Sebastian Allerelli

    Governance, risk, and compliance specialist