ProtonBlog
gdpr email security compliance

Everything you need to know about GDPR compliance and email security

New regulations always create compliance-induced headaches for companies. But in this case, the European Union’s General Data Protection Regulation (the GDPR)(new window) presents an enormous opportunity for businesses to improve their digital security.

Encryption is one of the data protection measures specifically recommended in the GDPR. Under the new law, organizations that suffer a data breach and have not taken appropriate measures to protect their users’ data can be hit with enormous fines(new window). It is relatively simple, however, to mitigate your liability, and in this article we will explain how. Note, the recommendations here are not exhaustive and we also recommend speaking with an attorney to get more information.

A brief background on the GDPR

As of May 25, 2018, any organization that collects, stores, or uses the personal data of people in the EU must adhere to strict requirements that give individuals more control over their data. You can find the full text here(new window). It’s worth reading over the documents with your lawyer to learn the many ways the GDPR could affect your business.

Broadly speaking, the GDPR aims to give people (“data subjects”) more control over who can access their personal information and how it is used. To accomplish this, data subjects now have certain protected rights(new window). For example, they must be allowed to see what information about them is being stored, and they can ask to have it deleted. The GDPR also introduces a requirement known as “data portability,” which gives people the right to obtain their data in a standard format. This gets at one of the central ideas of the GDPR: personal data belong to the data subjects, not businesses. The GDPR requires “data controllers” (i.e. the organizations handling personal data) to set up procedures to honor these rights.

Data controllers also have new responsibilities to protect data more rigorously. No longer should data breaches compromise users’ online security and privacy. The GDPR compels data controllers to use additional security measures to render data files more harmless in the event of a data breach: pseudonymization, anonymization, or encryption. We’ll look closer at some of these concepts below.

This legislation has serious teeth. If you fail to adequately protect users and their data, it could cost you 4 percent of your global annual revenue or €20 million, whichever is higher. In determining the severity of the penalties, the authorities take into account what steps the data controller has taken, such as the use of encryption, to mitigate damage to data subjects.

The GDPR applies to everyone

Any organization that handles the personal data of EU residents or citizens must comply with the GDPR(new window), including companies that are not based in the EU. Third-party services used by your organization must also be compliant. That includes your email provider. So, for example, if your company communicates with EU-based customers through email, then your email service provider, regardless of the location of its headquarters or servers, must comply with GDPR.

How to comply with the GDPR

It’s useful to think about approaching compliance in three broad steps:

  1. Start by identifying the personal data in your organization’s possession. Understand where it is, how it is collected, and who has access.
  2. Create new systems to manage these data. The GDPR requires data controllers to respond quickly to requests from data subjects, to identify breaches and report them within 72 hours, to limit data access within your organization, to establish a lawful basis for having the data, and to make privacy the default stance (e.g. you should not collect data you do not need, and data subjects must opt-in to collection), among many other requirements. This law will likely necessitate comprehensive new internal procedures and technical updates.
  3. Finally, the GDPR requires data controllers to take active measures to protect the personal data they possess and to mitigate the potential damage in case of a breach. This includes data stored anywhere within your organization, including in emails.

GDPR Compliant Email

Encryption is a key data protection component of the GDPR(new window). It is referred to as an example of an “appropriate measure” to keep personal data secure, it ensures “data protection by design” covered in Article 25, and it mitigates your liabilities in the event of a data breach under Article 34.

The encryption we use at Proton Mail satisfies these requirements while giving organizations total control over their data. Unlike other cloud email services, you can be sure that neither we nor anyone else can see the contents of your emails — even if there is a breach of our servers. We can make this guarantee thanks to our implementation of end-to-end encryption(new window), which protects your organization’s internal email communications, and zero-access encryption(new window), which protects all your external email communications.

Privacy regulations aside, encrypted email(new window) is a common-sense tool that more businesses and individuals are adopting to defend against cyber attacks and to keep sensitive information safe. By combining email encryption with a cloud hosted service, Proton Mail provides the best of both worlds. You can benefit from the reliability and cost savings of the cloud, while simultaneously maintaining control over your data. From the user’s perspective, Proton Mail works just like an unencrypted email service, with modern inbox design and secure mobile apps. There’s no learning curve because all the encryption takes place automatically behind the scenes.

It’s important to work with trustworthy and security-conscious service providers to limit your liability under the GDPR, and in this regard Proton Mail can help protect your organization and your customers. Now more than ever, customers want to know that you are taking the appropriate steps to protect their data, and encrypted email helps reduce the risk of being fined or worse: being in the headlines for a catastrophic data breach(new window).

GDPR data processing agreement

For organizations using Proton Mail(new window) to comply with GDPR, we provide a data processing agreement(new window) that helps you comply with GDPR requirements. To properly comply with GDPR, you must also ensure any third parties (e.g. subcontractors, cloud services, etc.) handling your customers’ data are also compliant. To satisfy this obligation, you are expected to have in place a data processing agreement with all services that may process customer data, in order to establish the rights and obligations of each party under the GDPR.

You can download Proton Mail’s data processing agreement(new window).

If you have additional questions about GDPR compliance(new window) and email security, please contact us(new window).

Proton Mail provides free encrypted email(new window) accounts to the public.

We also provide a free VPN service(new window) to protect your privacy.

Protect your business with Proton
Get Proton for Business

Related articles

Email threads are so ubiquitous you might not realize what they are. An email thread is basically a series of related emails grouped together.  This article will tell you everything you need to know about what exactly an email thread is and when you
Identity theft is a major sector of criminal activity. About 24 million people fell victim in the United States alone in 2021, costing them over $16 billion. Credit card fraud is the most common type, but criminals target all kinds of personal data.
Google is one of the biggest obstacles to privacy. The Big Tech giant may offer quick access to information online, but it also controls vast amounts of your personal or business data. Recently, more people are becoming aware of the actual price you
What to do if someone steals your Social Security number
If you’re a United States citizen or permanent resident, you have a Social Security number (SSN). This number is the linchpin of much of your existence, linked to everything from your tax records to your credit cards. Theft is a massive problem, whic
compromised passwords
Compromised passwords are a common issue and probably one of the biggest cybersecurity threats for regular people. How do passwords get compromised, and is there anything you can do to prevent it? * What does compromised password mean? * How do pa
Is WeTransfer safe?
  • Privacy basics
WeTransfer is a popular service used by millions worldwide to send large files. You may have wondered if it’s safe or whether you should use it to share sensitive files. We answer these questions below and present a WeTransfer alternative that may su