GDPR Compliance and Email Security

Organisations in the USA must ensure that business email infrastructure is secure and does not breach GDPR.

Emails are almost always personal data, in that they tend to comprise data by which a living individual is identifiable.  Furthermore, aside from the actual email messages themselves, personal data is often sent in attachments to email.  As such the medium is subject to the GDPR and one which represents a very high risk of breaches of GDPR.

If a cloud based email provider is used, then the transfer of any EU personal data to that provider needs to be compliant with GDPR.  And if the cloud based servers to which data will be transferred via the use of the email provider are based outside of the EU, then the transmission of any personal data of people in the EU to that provider cannot take place unless the transfer is compliant with the stringent requirements of the GDPR for transfers of data outside of the EU.

The first thing would be to carry out a comprehensive audit of the email provider and the contractual arrangements and terms of service, to ensure that any EU data transferred to them will be compliant with GDPR.

Then you need to look at your own internal measures to ensure that any personal data of people in the EU handled by you via email is done so in a GDPR compliant way.

One of the first things you should look at is security.  One of the central tenets of the GDPR is that data must be kept secure.  Also, by its nature, email is a major risk of data breaches for GDPR purposes.  Unencrypted email is capable of interception and is not secure.  Furthermore, the prospect of misdirection is very real with email and the wrong data and easily be sent to the wrong person, or to many such persons inadvertently.

Bear in mind that the GDPR requires mandatory notification of a data breach (which would include any breaches arising as a result of email) to the supervisory authorities within 72 hours of becoming aware of the breach. It’s important to note that these guidelines apply to businesses based in the USA as well as any other country outside of the EU.

If you process data on EU data subjects and appreciate that compliance with the GDPR is essential for risk management, data-security and customer-confidence in your international business and you feel that you are a good fit for our services please click the button below to schedule a free call with us today.

During the call we’ll answer any questions you may have and we’ll go through our service in full detail so that you have a complete understanding of our solution and how it can benefit your business. We look forward to speaking with you.

About the Author

flor mccarthy

Flor McCarthy is the author of our guides to GDPR. Flor is one of Ireland’s leading lawyers and a recognised expert in marketing. He has particular expertise and hands-on practical experience in privacy, data protection and GDPR issues for marketers. He is certified by the Law Society of Ireland in Data Protection Practice and lectures lawyers on data protection practice and compliance. He is managing partner of a multi award winning niche legal practice. He has been in private practice for over 20 years and has been elected by his peers to sit on the exclusive Council of the Law Society of Ireland, the governing body for Irish lawyers.