ProtonBlog(new window)
Subscribe by RSS
gdpr email security compliance

Everything you need to know about GDPR compliance and email security

Andy Yen(new window)

Share this page

New regulations always create compliance-induced headaches for companies. But in this case, the European Union’s General Data Protection Regulation (the GDPR)(new window) presents an enormous opportunity for businesses to improve their digital security.

Encryption is one of the data protection measures specifically recommended in the GDPR. Under the new law, organizations that suffer a data breach and have not taken appropriate measures to protect their users’ data can be hit with enormous fines(new window). It is relatively simple, however, to mitigate your liability, and in this article we will explain how. Note, the recommendations here are not exhaustive and we also recommend speaking with an attorney to get more information.

A brief background on the GDPR

As of May 25, 2018, any organization that collects, stores, or uses the personal data of people in the EU must adhere to strict requirements that give individuals more control over their data. You can find the full text here(new window). It’s worth reading over the documents with your lawyer to learn the many ways the GDPR could affect your business.

Broadly speaking, the GDPR aims to give people (“data subjects”) more control over who can access their personal information and how it is used. To accomplish this, data subjects now have certain protected rights(new window). For example, they must be allowed to see what information about them is being stored, and they can ask to have it deleted. The GDPR also introduces a requirement known as “data portability,” which gives people the right to obtain their data in a standard format. This gets at one of the central ideas of the GDPR: personal data belong to the data subjects, not businesses. The GDPR requires “data controllers” (i.e. the organizations handling personal data) to set up procedures to honor these rights.

Data controllers also have new responsibilities to protect data more rigorously. No longer should data breaches compromise users’ online security and privacy. The GDPR compels data controllers to use additional security measures to render data files more harmless in the event of a data breach: pseudonymization, anonymization, or encryption. We’ll look closer at some of these concepts below.

This legislation has serious teeth. If you fail to adequately protect users and their data, it could cost you 4 percent of your global annual revenue or €20 million, whichever is higher. In determining the severity of the penalties, the authorities take into account what steps the data controller has taken, such as the use of encryption, to mitigate damage to data subjects.

The GDPR applies to everyone

Any organization that handles the personal data of EU residents or citizens must comply with the GDPR(new window), including companies that are not based in the EU. Third-party services used by your organization must also be compliant. That includes your email provider. So, for example, if your company communicates with EU-based customers through email, then your email service provider, regardless of the location of its headquarters or servers, must comply with GDPR.

How to comply with the GDPR

It’s useful to think about approaching compliance in three broad steps:

  1. Start by identifying the personal data in your organization’s possession. Understand where it is, how it is collected, and who has access.
  2. Create new systems to manage these data. The GDPR requires data controllers to respond quickly to requests from data subjects, to identify breaches and report them within 72 hours, to limit data access within your organization, to establish a lawful basis for having the data, and to make privacy the default stance (e.g. you should not collect data you do not need, and data subjects must opt-in to collection), among many other requirements. This law will likely necessitate comprehensive new internal procedures and technical updates.
  3. Finally, the GDPR requires data controllers to take active measures to protect the personal data they possess and to mitigate the potential damage in case of a breach. This includes data stored anywhere within your organization, including in emails.

GDPR Compliant Email

Encryption is a key data protection component of the GDPR(new window). It is referred to as an example of an “appropriate measure” to keep personal data secure, it ensures “data protection by design” covered in Article 25, and it mitigates your liabilities in the event of a data breach under Article 34.

The encryption we use at Proton Mail satisfies these requirements while giving organizations total control over their data. Unlike other cloud email services, you can be sure that neither we nor anyone else can see the contents of your emails — even if there is a breach of our servers. We can make this guarantee thanks to our implementation of end-to-end encryption(new window), which protects your organization’s internal email communications, and zero-access encryption(new window), which protects all your external email communications.

Privacy regulations aside, encrypted email(new window) is a common-sense tool that more businesses and individuals are adopting to defend against cyber attacks and to keep sensitive information safe. By combining email encryption with a cloud hosted service, Proton Mail provides the best of both worlds. You can benefit from the reliability and cost savings of the cloud, while simultaneously maintaining control over your data. From the user’s perspective, Proton Mail works just like an unencrypted email service, with modern inbox design and secure mobile apps. There’s no learning curve because all the encryption takes place automatically behind the scenes.

It’s important to work with trustworthy and security-conscious service providers to limit your liability under the GDPR, and in this regard Proton Mail can help protect your organization and your customers. Now more than ever, customers want to know that you are taking the appropriate steps to protect their data, and encrypted email helps reduce the risk of being fined or worse: being in the headlines for a catastrophic data breach(new window).

GDPR data processing agreement

For organizations using Proton Mail(new window) to comply with GDPR, we provide a data processing agreement(new window) that helps you comply with GDPR requirements. To properly comply with GDPR, you must also ensure any third parties (e.g. subcontractors, cloud services, etc.) handling your customers’ data are also compliant. To satisfy this obligation, you are expected to have in place a data processing agreement with all services that may process customer data, in order to establish the rights and obligations of each party under the GDPR.

You can download Proton Mail’s data processing agreement(new window).

If you have additional questions about GDPR compliance(new window) and email security, please contact us(new window).

Proton Mail provides free encrypted email(new window) accounts to the public.

We also provide a free VPN service(new window) to protect your privacy.

Protect your business with Proton
Get Proton for Business

Related articles

Social engineering is a common hacking tactic involving psychological manipulation used in cybersecurity attacks to access or steal confidential information. They then use this information to commit fraud, gain unauthorized access to systems, or, in
is whatsapp safe for sending private photos
WhatsApp is the world’s leading messaging app, trusted by billions of people around the globe to send and receive messages. However, is WhatsApp safe for sending private photos? Or are there better ways to share photos online privately? Let’s find ou
passwordless future
With the advent of passkeys, plenty of people are predicting the end of passwords. Is the future passwordless, though? Or is there room for both types of authentication to exist side-by-side?  At Proton, we are optimistic about passkeys and have int
At Proton, we have always been highly disciplined, focusing on how to best sustain our mission over time. This job is incredibly difficult. Everything we create always takes longer and is more complex than it would be if we did it without focusing on
is icloud keychain safe
If you’re on any Apple device, you’re familiar with the iCloud Keychain, the Apple password manager. It’s a handy tool that stores passwords for you and helps you manage your logins.  For a program that stores all your most sensitive data in one pla
We recently announced that Proton Pass now supports passkeys for everyone across all devices. Universal compatibility is a unique approach to implementing passkeys, unfortunately. Even though passkeys were developed by the FIDO Alliance and the Worl