Emails are almost always personal data, in that they tend to comprise data by which a living individual is identifiable. Furthermore, aside from the actual email messages themselves, personal data is often sent in attachments to email. As such the medium is subject to the GDPR and one which represents a very high risk of breaches of GDPR.
If a cloud based email provider is used, then the transfer of any EU personal data to that provider needs to be compliant with GDPR. And if the cloud based servers to which data will be transferred via the use of the email provider are based outside of the EU, then the transmission of any personal data of people in the EU to that provider cannot take place unless the transfer is compliant with the stringent requirements of the GDPR for transfers of data outside of the EU.
The first thing would be to carry out a comprehensive audit of the email provider and the contractual arrangements and terms of service, to ensure that any EU data transferred to them will be compliant with GDPR.
Then you need to look at your own internal measures to ensure that any personal data of people in the EU handled by you via email is done so in a GDPR compliant way.
One of the first things you should look at is security. One of the central tenets of the GDPR is that data must be kept secure. Also, by its nature, email is a major risk of data breaches for GDPR purposes. Unencrypted email is capable of interception and is not secure. Furthermore, the prospect of misdirection is very real with email and the wrong data and easily be sent to the wrong person, or to many such persons inadvertently.
Bear in mind that the GDPR requires mandatory notification of a data breach (which would include any breaches arising as a result of email) to the supervisory authorities within 72 hours of becoming aware of the breach. It's important to note that these guidelines apply to businesses based in Australia as well as any other country outside of the EU.
About the author
Flor McCarthy is the author of our guides to GDPR. Flor is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.
Click here to return to the GDPR Compliance Hub.