ProtonBlog(new window)
gdpr email security compliance

Everything you need to know about GDPR compliance and email security

Share this page

New regulations always create compliance-induced headaches for companies. But in this case, the European Union’s General Data Protection Regulation (the GDPR)(new window) presents an enormous opportunity for businesses to improve their digital security.

Encryption is one of the data protection measures specifically recommended in the GDPR. Under the new law, organizations that suffer a data breach and have not taken appropriate measures to protect their users’ data can be hit with enormous fines(new window). It is relatively simple, however, to mitigate your liability, and in this article we will explain how. Note, the recommendations here are not exhaustive and we also recommend speaking with an attorney to get more information.

A brief background on the GDPR

As of May 25, 2018, any organization that collects, stores, or uses the personal data of people in the EU must adhere to strict requirements that give individuals more control over their data. You can find the full text here(new window). It’s worth reading over the documents with your lawyer to learn the many ways the GDPR could affect your business.

Broadly speaking, the GDPR aims to give people (“data subjects”) more control over who can access their personal information and how it is used. To accomplish this, data subjects now have certain protected rights(new window). For example, they must be allowed to see what information about them is being stored, and they can ask to have it deleted. The GDPR also introduces a requirement known as “data portability,” which gives people the right to obtain their data in a standard format. This gets at one of the central ideas of the GDPR: personal data belong to the data subjects, not businesses. The GDPR requires “data controllers” (i.e. the organizations handling personal data) to set up procedures to honor these rights.

Data controllers also have new responsibilities to protect data more rigorously. No longer should data breaches compromise users’ online security and privacy. The GDPR compels data controllers to use additional security measures to render data files more harmless in the event of a data breach: pseudonymization, anonymization, or encryption. We’ll look closer at some of these concepts below.

This legislation has serious teeth. If you fail to adequately protect users and their data, it could cost you 4 percent of your global annual revenue or €20 million, whichever is higher. In determining the severity of the penalties, the authorities take into account what steps the data controller has taken, such as the use of encryption, to mitigate damage to data subjects.

The GDPR applies to everyone

Any organization that handles the personal data of EU residents or citizens must comply with the GDPR(new window), including companies that are not based in the EU. Third-party services used by your organization must also be compliant. That includes your email provider. So, for example, if your company communicates with EU-based customers through email, then your email service provider, regardless of the location of its headquarters or servers, must comply with GDPR.

How to comply with the GDPR

It’s useful to think about approaching compliance in three broad steps:

  1. Start by identifying the personal data in your organization’s possession. Understand where it is, how it is collected, and who has access.
  2. Create new systems to manage these data. The GDPR requires data controllers to respond quickly to requests from data subjects, to identify breaches and report them within 72 hours, to limit data access within your organization, to establish a lawful basis for having the data, and to make privacy the default stance (e.g. you should not collect data you do not need, and data subjects must opt-in to collection), among many other requirements. This law will likely necessitate comprehensive new internal procedures and technical updates.
  3. Finally, the GDPR requires data controllers to take active measures to protect the personal data they possess and to mitigate the potential damage in case of a breach. This includes data stored anywhere within your organization, including in emails.

GDPR Compliant Email

Encryption is a key data protection component of the GDPR(new window). It is referred to as an example of an “appropriate measure” to keep personal data secure, it ensures “data protection by design” covered in Article 25, and it mitigates your liabilities in the event of a data breach under Article 34.

The encryption we use at Proton Mail satisfies these requirements while giving organizations total control over their data. Unlike other cloud email services, you can be sure that neither we nor anyone else can see the contents of your emails — even if there is a breach of our servers. We can make this guarantee thanks to our implementation of end-to-end encryption(new window), which protects your organization’s internal email communications, and zero-access encryption(new window), which protects all your external email communications.

Privacy regulations aside, encrypted email(new window) is a common-sense tool that more businesses and individuals are adopting to defend against cyber attacks and to keep sensitive information safe. By combining email encryption with a cloud hosted service, Proton Mail provides the best of both worlds. You can benefit from the reliability and cost savings of the cloud, while simultaneously maintaining control over your data. From the user’s perspective, Proton Mail works just like an unencrypted email service, with modern inbox design and secure mobile apps. There’s no learning curve because all the encryption takes place automatically behind the scenes.

It’s important to work with trustworthy and security-conscious service providers to limit your liability under the GDPR, and in this regard Proton Mail can help protect your organization and your customers. Now more than ever, customers want to know that you are taking the appropriate steps to protect their data, and encrypted email helps reduce the risk of being fined or worse: being in the headlines for a catastrophic data breach(new window).

GDPR data processing agreement

For organizations using Proton Mail(new window) to comply with GDPR, we provide a data processing agreement(new window) that helps you comply with GDPR requirements. To properly comply with GDPR, you must also ensure any third parties (e.g. subcontractors, cloud services, etc.) handling your customers’ data are also compliant. To satisfy this obligation, you are expected to have in place a data processing agreement with all services that may process customer data, in order to establish the rights and obligations of each party under the GDPR.

You can download Proton Mail’s data processing agreement(new window).

If you have additional questions about GDPR compliance(new window) and email security, please contact us(new window).

Proton Mail provides free encrypted email(new window) accounts to the public.

We also provide a free VPN service(new window) to protect your privacy.

Protect your privacy with Proton
Create a free account

Share this page

Andy Yen(new window)

Andy is the founder and CEO of Proton. He is a long-time advocate for privacy rights and has spoken at TED, Web Summit, and the United Nations about online privacy issues. Previously, Andy was a research scientist at CERN and has a PhD in particle physics from Harvard University.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail