SC Spheres

Does Email Comply with Privacy Laws

Step 2

Email servers such as Gmail and Outlook encrypt an email message during transmission.  However, the message is only encrypted when in transit between servers and the email content and attachments can be read in plain text by the email servers at either end.  This means that 3rd parties who have or gain access to the servers can read the email message.

An email message is routed along a chain of servers and the exact route that the message follows depends on server availability. This means that unless your email is encrypted during transmission your email message is available in plain text on all of the servers used to deliver the message. Some of these servers could be located in a foreign country (even if the sender and receiver of the email are in the same country).

Most email servers support the encryption of a message during transmission.  However, if you send an email to a recipient who uses an email server that does not support encryption, the message will be sent in plain text (or not sent at all depending on your settings).

This is problematic for most privacy laws that require organisations to protect personal data, and often prohibit the transfer of data to certain countries.  The European privacy law, the General Data Protection Regulation or GDPR, is one such privacy law that prohibits the transfer of personal data to countries that are not contained on a list of ‘safe’ destinations.

GDPR recommends end-to-end encryption as the most feasible option for sending personal information via email.  An end-to-end encryption service would need to be purchased or installed by the organisation sending the email and subscribed to be the recipient of the email.  GDPR itself uses an email encryption service by ProtonMail that costs organisations 6.25 Euros per user per month. Subscription by the recipient is free.

End-to-end encryption uses a public key to encrypt the email message before it is sent.  The email message is stored on the sender’s email server in an encrypted form and, when it arrives, is stored on the recipient’s email server also in the encrypted form. The recipient decrypts the message using a password that acts as the private key and is only known to the recipient.  There can be complications when the password is changed as the recipient will not be able to read old messages stored on the email server unless the new password is replaced with the old one used for the original encryption.  This means keeping track of all old passwords.

Email retention is also complicated by data privacy laws.  Personal data can generally not be stored for longer than is necessary.  In terms of GDPR, the data subject has the ‘right to be forgotten’.  This means setting up procedures for deleting old emails.

Privacy laws will require organisations to rethink how email is used in their organisations.  Platforms that support end-to-end encryption and re-encryption of old messages whenever passwords are reset will offer distinct advantages over email even with encryption services like ProtonMail.

Why SC Spheres?
Copyright © SC Spheres (UK) Ltd. All rights reserved.