Let’s chat email encryption. Do relevant data protection laws, such as the GDPR in the EU or POPIA in South Africa, require your organisation to use encryption in transit to protect the personal data in emails and attachments that your personnel send against unauthorised access?

Why email encryption is important

Email is like the internal combustion engine from an information security perspective: deeply flawed and we have better technologies to replace it, but we just cannot seem to kick the habit. Some might say that sending information by email is like writing a letter and sending it through the postal system — your message changes hands several times and you have no way of knowing whether someone has read it en route to its destination. Like so many harmful addictions, the habitual use of email as a vector of correspondence is difficult to quit because we’ve used it for so long and don’t know about appropriate alternatives.

Email encryption in the context of data protection law raises several questions, such as:

  • What happens if your personnel encrypt sensitive information that they send by email using freely-available software? Could they exfiltrate sensitive information from your organisation in a way that is undetectable?
  • Should you introduce new rules to your DLP systems that prevent personnel from sending encrypted files by email and configure your DLP system to flag sensitive information that employees wish to send by email and prompt them to encrypt it in a way that you can peer into?

How data protection law applies to email encryption

Relevant data protection laws generally say that your organisation needs to do what is reasonable and appropriate to prevent unauthorised access to the personal data in its care. This is often known as the information security requirement, and it is based on the idea that what you do to protect the personal data that you process should be commensurate to the threats to that personal data and the resources available to your organisation. Most data protection laws do not go as far as saying that you need to implement email encryption, although some do mention encryption generally as a way of working towards compliance with the information security requirement. Therefore, while email encryption is not specifically required — it can help show compliance with the information security requirement in relevant data protection laws.

There are also several cases coming out of Europe, some of which where the relevant supervisory authority has issued significant fines, where the authorities held that email was not an appropriate method of transferring significantly sensitive personal data and the organisations in question should have used some sort of online portal or secure FTP server with an encrypted connection requiring the use of secure credentials to gain access.

What you can do to comply with relevant data protection laws

Encryption-in-transit is the process of converting information into an undecipherable form to prevent unauthorised access when moving it from one place to another. It is commonplace in the world of websites and the Internet, where we see technologies such as secure sockets layer (SSL) being used to encrypt traffic to and from websites and its successor transport layer security (TLS). It is also possible in the realm of email communication through the use of TLS or end-to-end encryption. There are various software vendors available who provide appropriate services.

Actions you could take

  • Contact us for help with email encryption and relevant data protection laws.
  • Join our data protection programme to learn more about how to comply with the information security requirement in terms of relevant data protection laws.
  • Get updates about information security issues and alerts about our events by subscribing to the Michalsons newsletter.