General Data Protection & Email Best Practice
GDPR applies to any business storing, sharing, sending or receiving the personal data of European Union and UK citizens, wherever in the world that business is located. Fines for GDPR breaches are substantial, up to €20 million or 4% of annual global turnover, whichever is greater. Post-Brexit, GDPR continues to apply in the UK.
GDPR rules proscribe that all communications[1] containing any data which allows a person to be identified[2] should be kept secure. Organizations are required to ensure that appropriate technical or organizational measures are in place to ensure confidentiality of personal data[3], and if a communication is accessed by a third party it is a data breach[4].
Free webmail accounts are free for a reason: the webmail provider gets access to the data. By sending an email containing personal information to a webmail account you are sharing that information with the webmail provider. This is a clear breach of the rules.
The data breach only arises because the client is using a free webmail account. If the client had their own private email account (as companies do) the problem would not arise. It might seem a little unfair that the company, not the client, is the one liable for the fine, but those are the rules. And companies can avoid the problem by either not using email entirely or implementing a corporate email encryption solution.
The good news is that you can fix this problem quickly and easily.
You can either ask your clients to sign up to StayPrivate. Or you can implement the StayPrivate Professional solution across your entire organization, allowing any employee to send an encrypted email simply by including a keyword, or by hooking it into your existing DLP solution.
Whichever route you choose, StayPrivate will not only ensure that your clients' data stays safe, but that they get a great experience too.
[1] GDPR Art 4, 2: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
[2] GDPR Art. 4, 1: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
[3] GDPR Art. 5, 1(f): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). GDPR Art. 5, 2: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).