Skip to main content

GDPR and email

According to the GDPR, you are responsible for protecting people’s personal data. This post is about email security and how to protect personal data when emailing. You will receive a checklist for what to remember when sending emails in accordance with the data regulations, so that you can have a safe GDPR email.

Email of personal data

Email and personal data are two important aspects of our modern digital working life. E-mail allows us to communicate and exchange information over the Internet effectively. Emails can contain personal information such as names, contact information, and even confidential information such as credit card information or passwords. It is therefore important to be aware of security measures to protect personal data when using e-mail. Personal data refers to any information that can identify a person directly or indirectly. This can include names, addresses, phone numbers, dates of birth, email addresses and more.

Unfortunately, mail is also a service where there is a high risk of personal data – either intentionally or unintentionally – ending up in the hands of unauthorised persons. To protect personal data when using e-mail, there are some important steps you can follow.

Start your privacy cleanup with your emails

With an analysis scan by DataMapper, you can have all Outlook accounts in your company scanned. You will receive key statistics on all (current and former) employees' emails - including information on which emails, employees and processes generate GDPR risk.

Email security and compliance checklist

Getting your company’s email ready for safe data sharing is an important part of compliance with data privacy regulations, since email is still the most common way your employees will communicate with customers, vendors, partners, and each other.

Make sure you:

1. Get a good practice for sharing and collecting data by email
Email data breaches can be either accidental or intentional. Accidental email data breach occurs when someone, for example: 

  • Sends an email to the wrong person 
  • Attaches the wrong document to an email 
  • Uses the CC field rather than the BCC field 
  • Forwards an email thread they don’t realise contains personal information in the message body or attachments 

Intentional email data breaches may or may not be malicious. Here are some examples: 

  • You send or accept personal data by regular mail without encryption  
  • An employee reuses your leads’ emails and other personal data at a new job  
  • Someone leaks personal data for financial gain or to harm your company 

Establishing solid but easy-to-follow protocols for email data sharing for your whole company can increase awareness of data privacy and prevent data leaks and breaches.  


2. Protect data at rest and in transit with state-of-the-art security
Keeping in mind that the GDPR and other regulations require you to use appropriate technical measures to prevent data loss and leaks, your email security features should include: 

  • Encryption – so data ends up with the right recipient
  • Transport Layer Security (TLS) – to keep data safe in transit 
  • Multi-factor authentication – to verify the recipient’s identity 
  • Access restriction – to protect data at rest 
  • Data retention limits – to minimise your liability risk 


3. Get consent before accepting data by mail
Regulations require you to have a lawful basis for collecting data. In most cases, this should be in the form of freely given consent from the data owner/data subject. The consent you obtain from someone before accepting their data by email should be:  

  • Informed. Easy to read and understand for the data subject. 
  • Voluntary. Freely given by the data subject. 
  • Explicit. An unambiguous indication of the data subject’s wishes. 


4. Document your compliance in case of audit by logging each share and request
Keep a record to demonstrate that you protect your customers’ personal data. You should be able to show: 

  • A log of the personal info you’ve shared and collected
  • How long personal data is kept 
  • Copies of the consents you’ve obtained 

Get our Newsletter!

In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.

When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.

The best software for email security

Here are a few options for email security:

  • Certificate-based solutions. This option requires installation on both sides.
  • Tunnel mail. A Danish concept, with a secure tunnel established between two companies. It requires installation on both sides, and it cannot reach consumers.
  • A safe email portal. This is the solution we recommend. It does not require certificates or special installation.

The best solution for email security is the one your employees will use every time they share or collect personal data. It should work where your team does, whether that is in the office, on the road, or remotely. It must be fast and easy enough to use for all types of files (including large files). It should be easy to use, at any time, from any place, so that your employees will not be tempted to bypass it occasionally to save time.

This is how we can help you send mail with sensitive content

Our solution, ShareSimple, is an email portal that makes it safe to share files via Outlook. With ShareSimple, you can have full confidence that your files are protected with encryption, multi-factor authentication, access restriction, etc. when you send emails.

Read more about ShareSimple

Sebastian Allerelli

Founder & COO at Safe Online
Governance, Risk & Compliance Specialist
Follow me on LinkedIn to get tips on GDPR →


How to handle sensitive personal data


How to find personal data with datamapping tool


How to prepare for a data audit