EU GDPR (General Data Protection Regulation) and email security

Is your email system EU GDPR compliant?

The EU General Data Protection Regulation (GDPR) is the new legal framework governing the use of the personal data of European Union (EU) citizens across all EU markets. It replaces existing national data protection laws, and comes into force on 25 May 2018. The GDPR will affect all organizations in the EU and around the world that control or process personal data of EU residents. The new data protection law is not sector-specific, unlike privacy laws in other parts of the world. The same requirements apply to small businesses and large multinationals of all sectors, with very few exceptions. Consequently, organizations of all types are affected by the new EU data protection law.

With the GDPR, encryption becomes mandatory. Data must be encrypted at every opportunity, including at-rest and in-flight. This applies equally to public cloud storage, preferably using user-managed keys, not just those provided by the cloud provider.
If personal data is encrypted throughout its lifecycle using strong and approved algorithms it can be taken out of scope of the GDPR. Article 32(1) sanctions encryption as an appropriate security technique. However, all end-points must be taken into account. Personal data is personal data, no matter where it is held. For example, if a mobile device that contains personal data is breached while travelling, this is considered as much a data breach under the GDPR as one affecting a database.

Does the GDPR affect your organization’s email?

Does your organization use email to send messages or files containing personal data of your EU customers, employees, prospects or leads? The personal data could be as simple as names, addresses, email addresses, phone numbers, gender, nationality, social security numbers, credit card numbers, online identifiers (such as IP addresses), or factors specific to the physical, physiological, genetic, mental, economic or social identity of EU persons. In short, any data from which a person can be identified is considered personal data. If your emails or attachments contain this information, the GDPR affects you. Transmitting and storing personal data is considered processing.

Download whitepaper

Read our white paper to learn more about GDPR affecting email and how you can easily become GDPR compliant with EEZY KEYZ® end-to-end email encryption!