Everything you need to know about GDPR compliance and email security

gdpr email security compliance

New regulations always create compliance-induced headaches for companies. But in this case, the European Union’s General Data Protection Regulation (the GDPR) presents an enormous opportunity for businesses to improve their digital security.

Encryption is one of the data protection measures specifically recommended in the GDPR. Under the new law, organizations that suffer a data breach and have not taken appropriate measures to protect their users’ data can be hit with enormous fines. It is relatively simple, however, to mitigate your liability, and in this article we will explain how. Note, the recommendations here are not exhaustive and we also recommend speaking with an attorney to get more information.

A brief background on the GDPR

As of May 25, 2018, any organization that collects, stores, or uses the personal data of people in the EU must adhere to strict requirements that give individuals more control over their data. You can find the full text here. It’s worth reading over the documents with your lawyer to learn the many ways the GDPR could affect your business.

Broadly speaking, the GDPR aims to give people (“data subjects”) more control over who can access their personal information and how it is used. To accomplish this, data subjects now have certain protected rights. For example, they must be allowed to see what information about them is being stored, and they can ask to have it deleted. The GDPR also introduces a requirement known as “data portability,” which gives people the right to obtain their data in a standard format. This gets at one of the central ideas of the GDPR: personal data belong to the data subjects, not businesses. The GDPR requires “data controllers” (i.e. the organizations handling personal data) to set up procedures to honor these rights.

Data controllers also have new responsibilities to protect data more rigorously. No longer should data breaches compromise users’ online security and privacy. The GDPR compels data controllers to use additional security measures to render data files more harmless in the event of a data breach: pseudonymization, anonymization, or encryption. We’ll look closer at some of these concepts below.

This legislation has serious teeth. If you fail to adequately protect users and their data, it could cost you 4 percent of your global annual revenue or €20 million, whichever is higher. In determining the severity of the penalties, the authorities take into account what steps the data controller has taken, such as the use of encryption, to mitigate damage to data subjects.

The GDPR applies to everyone

Any organization that handles the personal data of EU residents or citizens must comply with the GDPR, including companies that are not based in the EU. Third-party services used by your organization must also be compliant. That includes your email provider. So, for example, if your company communicates with EU-based customers through email, then your email service provider, regardless of the location of its headquarters or servers, must comply with GDPR.

How to comply with the GDPR

It’s useful to think about approaching compliance in three broad steps:

  1. Start by identifying the personal data in your organization’s possession. Understand where it is, how it is collected, and who has access.
  2. Create new systems to manage these data. The GDPR requires data controllers to respond quickly to requests from data subjects, to identify breaches and report them within 72 hours, to limit data access within your organization, to establish a lawful basis for having the data, and to make privacy the default stance (e.g. you should not collect data you do not need, and data subjects must opt-in to collection), among many other requirements. This law will likely necessitate comprehensive new internal procedures and technical updates.
  3. Finally, the GDPR requires data controllers to take active measures to protect the personal data they possess and to mitigate the potential damage in case of a breach. This includes data stored anywhere within your organization, including in emails.

GDPR Compliant Email

Encryption is a key data protection component of the GDPR. It is referred to as an example of an “appropriate measure” to keep personal data secure, it ensures “data protection by design” covered in Article 25, and it mitigates your liabilities in the event of a data breach under Article 34.

The encryption we use at ProtonMail satisfies these requirements while giving organizations total control over their data. Unlike other cloud email services, you can be sure that neither we nor anyone else can see the contents of your emails — even if there is a breach of our servers. We can make this guarantee thanks to our implementation of end-to-end encryption, which protects your organization’s internal email communications, and zero-access encryption, which protects all your external email communications.

Privacy regulations aside, encrypted email is a common-sense tool that more businesses and individuals are adopting to defend against cyber attacks and to keep sensitive information safe. By combining email encryption with a cloud hosted service, ProtonMail provides the best of both worlds. You can benefit from the reliability and cost savings of the cloud, while simultaneously maintaining control over your data. From the user’s perspective, ProtonMail works just like an unencrypted email service, with modern inbox design and secure mobile apps. There’s no learning curve because all the encryption takes place automatically behind the scenes.

It’s important to work with trustworthy and security-conscious service providers to limit your liability under the GDPR, and in this regard ProtonMail can help protect your organization and your customers. Now more than ever, customers want to know that you are taking the appropriate steps to protect their data, and encrypted email helps reduce the risk of being fined or worse: being in the headlines for a catastrophic data breach.

GDPR Data Processing Agreement

For organizations using ProtonMail to comply with GDPR, we provide a Data Processing Agreement that helps you comply with GDPR requirements. To properly comply with GDPR, you must also ensure any third parties (e.g. subcontractors, cloud services, etc.) handling your customers’ data are also compliant. To satisfy this obligation, you are expected to have in place a Data Processing Agreement with all services that may process customer data, in order to establish the rights and obligations of each party under the GDPR.

You can download ProtonMail’s Data Processing Agreement.

If you have additional questions about GDPR compliance and email security, please contact us.

Best Regards,
The ProtonMail Team

ProtonMail provides free encrypted email accounts to the public.

We also provide a free VPN service to protect your privacy.

About the Author

Andy Yen

Andy is the Founder and CEO of Proton, the company behind ProtonMail and ProtonVPN. He is a long time advocate of privacy rights and has spoken at TED, SXSW, and the Asian Investigative Journalism Conference about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in Particle Physics from Harvard University. You can watch his TED talk online to learn more about our mission.


Comments are closed.

20 comments on “Everything you need to know about GDPR compliance and email security

  • Hello
    I have a question that can’t find its answer.
    If you have links that explained it please let me know.

    My question is if protonmail get hacked, then hackers put malicious OpenPGPJS in the site to load in user’s browser. So what protonmail did against this?
    Is there any prevention?


    • Using ProtonMail Bridge or mobile apps will avoid this issue entirely. We of course monitor our servers very carefully to make this very hard, if not impossible, to pull off.

  • Great overview. There is one topic that is not mentioned: In my view the GPDR also mandates to enforce in transit encryption if offered by the recipient. Systems like SMTP MTA Strict Transport Security (MTA-STS) oder DANE allow to reduce the risk of sending e-mails from MTA to MTA unencrypted. What are your plans to support such systems – both as sending and receiving MTA?

    • We will implement such systems once they are better supported within the email ecosystem.

  • Hi there,

    I have read your GDPR Data processing agreement (https://protonmail.com/blog/wp-content/uploads/2018/05/Data-Processing-Agreement-Final.pdf) and it seems that one of the clauses is in contravention with GDPR itself, maybe we could take a look at it together:

    Art. 28.3 GDPR states:
    Processing by a processor shall be governed by a contract or other legal act under Union or Member State law,

    Yet your agreement in its final provisions states:

    13. Governing Law and Jurisdiction
    13.1 This Agreement is governed by Swiss law.
    13.2 Any dispute arising in connection with this Agreement, which the Parties
    will not be able to resolve amicably, will be submitted to the exclusive
    jurisdiction of the courts of Geneva, subject to possible appeal to the
    Swiss Federal Supreme Court in Lausanne.

    As far as I remember, Switzerland is not a EU Member State. Similar provisions are there in art. 28.4 concerning sub-processing agreements.

    The problem here is that such an agreement might not be considered as effectively addressing article 28 GDPR and therefore creating a risk of administrative/criminal charges to the administrator due to lack of compliance. Moreover it might be a good idea to provide an agreement with certified e-signature, preferably recognized by default by Adobe. What do you guys think?

    • The question you ask is an interesting one and it had arisen as well when we were working on the Data Processing Agreement. The reasoning here is a bit tricky and we found the clearer meaning in the French version.

      Article 28 §3 GDPR provides that the relation shall be governed by a contract or other legal act under Union or Member State law. It is confusing, and we thought initially that it meant that we had to choose Union or Member State law for the contract.

      But when reading the French version, we understand more clearly that the relation shall be governed by any act, proven that it constitutes a contract or another legal act in the eye of the Union or Member State law (un contrat ou un autre acte juridique au titre du droit), in a way that it is binding the parties.

  • This is an important topic for every person, you must always monitor the safety of your mail. Because an experienced hacker can easily break unsecured mail … And then not only its private information but also confidential files of companies can suffer. And then there can be big problems. We once had such a situation that our company also wanted to break down, but thank God we saw this vulnerability in time and corrected it. I advise everyone to use the maximum methods of protection since the consequences are very serious.

  • Thanks for that well written article. Well done to Andy Yen and all at Protonmail!

  • So email to email is encrypted for the greater security of personal information and privacy… how do we know that Protonmail does not decrypt users email and store and share?

    • We do not possess the encryption keys of our users. Without access to the encryption keys, we cannot actually decrypt any of the messages stored on ProtonMail.

    • Hi Wiston! If you have proof that this address is being used for something illegal or is involved in any illegal activities, please send them to abuse@protonmail.com and our abuse team will investigate and take proper measures if needed.

  • Hi.
    I’d like to know if I can avoid the grouping of mails iin one single mail n my inbox, mails that come from the same sender. I prefer to have them in diferent mails.

    • Hi Juan,

      Please check the Appearance section in your ProtonMail Settings and make sure Conversation Grouping is not selected.