What GDPR says about email

The GDPR was implemented on 25 May 2018 to protect the personal data and privacy of all EU and EEA citizens. GDPR aims to give individuals control over their data and standardise the rules in the EU. It has a significant impact on how companies communicate via email. This is apparent in both regular mail communication as well as email marketing.

This post is about what the GDPR says about email – what you be aware of when protecting sensitive data in emails and what pitfalls there are. In other words; everything you need to know to get a safe email that complies with GDPR.

According to the GDPR, companies must process personal data in emails according to certain security standards. This applies both when you email in the usual way and when you engage in email marketing. Here is an overview of the basic requirements:

1. Legality, fairness and transparency

• Legality: Emails containing personal data must be sent and processed legally. This means taking care to collect a lawful basis for the processing, such as the consent of the person whose data is being processed, or that the processing is necessary to fulfill a contract or legal requirements.
• Fairness: The processing must be fair, which means that the company must not mislead individuals about the purpose of collecting their data.
• Transparency: Companies must inform individuals about what personal data they collect, why they collect it and how it is used, in a clear and understandable form.

2. Purpose limitation

Data collected via emails may only be used for specific, explicit and legitimate purposes. These purposes must be clearly defined at the time of collection, and data must not be used for anything incompatible with these original purposes.

3. Data minimisation

Care must be taken to have only the minimum amount of data necessary to fulfill the stated purpose should be collected and processed. This means that if an email campaign can be carried out with less data, only this necessary data should be collected.

4. Accuracy

The personal data processed must be accurate and, where necessary, kept up to date. Any inaccurate data must be deleted or corrected immediately.

5. Storage limitation

Personal data should only be stored in a form that allows the identification of individuals for as long as is necessary for the purposes for which the personal data was collected and processed. This involves regular review and deletion of old data.

6. Confidentiality

Personal data must be processed in a way that ensures adequate data security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Application of appropriate technical or organisational measures, such as encryption, is essential.

7. Transfer of data

Data may only be transferred to countries outside the EU if the countries in question have similar standards for data protection as in the EU/EEA.

8. Data rights

Citizens have specific rights under the GDPR that companies must respect, including the right to access, rectification, erasure (“the right to be forgotten”), and the right to object to certain types of processing.

In connection with email communication, companies often make mistakes such as lack of consent, where marketing emails are sent without clear, documentable consent from the recipients. Another common mistake is to send sensitive data without encryption, which increases the risk of data leaks. Companies also often handle withdrawals of consent ineffectively, continue to send emails to those who have opted out, and fail to meet deadlines for responses to data requests (DSARs), which contravene the GDPR’s requirements for timely data handling. In summary, the errors are:

• Mails are sent without consent
• Mails are sent unencrypted
• Does not record withdrawal of consent
• Not meeting deadlines for DSARs

GDPR regulations in regards to email must ensure that personal data is handled responsibly. Unfortunately, there are many pitfalls that lead to breaking the rules. This can be due to one’s IT security, poor email practices from employees, the company’s ignorance or the recipient you email with.

Our solution, ShareSimple, is an email portal that makes sharing files in Outlook safe via end-to-end encryption, access control and strict data retention policies in line with EU standards.