Emails are almost always personal data, in that they tend to comprise data by which a living individual is identifiable. Furthermore, aside from the actual email messages themselves, personal data is often sent in attachments to email. As such the medium is subject to the GDPR and one which represents a very high risk of breaches of GDPR.
If a cloud based email provider is used, then the transfer of any EU personal data to that provider needs to be compliant with GDPR. And if the cloud based servers to which data will be transferred via the use of the email provider are based outside of the EU, then the transmission of any personal data of people in the EU to that provider cannot take place unless the transfer is compliant with the stringent requirements of the GDPR for transfers of data outside of the EU.
The first thing would be to carry out a comprehensive audit of the email provider and the contractual arrangements and terms of service, to ensure that any EU data transferred to them will be compliant with GDPR.
Then you need to look at your own internal measures to ensure that any personal data of people in the EU handled by you via email is done so in a GDPR compliant way.
One of the first things you should look at is security. One of the central tenets of the GDPR is that data must be kept secure. Also, by its nature, email is a major risk of data breaches for GDPR purposes. Unencrypted email is capable of interception and is not secure. Furthermore, the prospect of misdirection is very real with email and the wrong data and easily be sent to the wrong person, or to many such persons inadvertently.
Bear in mind that the GDPR requires mandatory notification of a data breach (which would include any breaches arising as a result of email) to the supervisory authorities within 72 hours of becoming aware of the breach. It's important to note that these guidelines apply to businesses based in Australia as well as any other country outside of the EU.
Click here to return to the GDPR Compliance Hub.