GDPR as an impetus for email encryption projects
Berlin, 04. December 2017
Maybe email encryption has been on your to-do list for ages and has been postponed for whatever reason, but the imminent European General Data Protection Regulation (GDPR) means there can be no more shirking the issue. By contrast with the Federal Data Protection law currently applicable in Germany, companies will be liable to substantial fines of up to €20 million or 4% of annual global turnover (the higher amount applies) if they fail to comply with the GDPR.
The topic of the GDPR has featured heavily in the IT industry trade press for some weeks, and now information about it is beginning to reach consumers. By the spring at the latest, the increasing amount of coverage in the popular media will result in companies having to process inquiries from customers about their data. You should therefore take urgent action: Processes need to be defined and consideration given to the security of data exchange from the outset. Switching to conventional mail is only a limited option:
… Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. (GDPR, Chapter III, Article 15)
Transmission of personal information – encryption is mandatory
The GDPR sets out certain basic principles covering the processing of personal information. Processing includes “disclosure by transmission” (cf. GDPR, Chapter I, Article 4). Sending personal information in emails or exchanging entire databases via the Internet must not be carried out without protection (cf. GDPR, Chapter II, Article 5).
The fundamental principle governing the processing of personal information is:
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). (Chapter II, Article 5)
With regard to the security of processing the requirement is:
(1) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services … (Chapter IV, Section 2, Article 32)
Digital transmission of personal information may therefore only occur in encrypted form.
State of the art encryption technology
Secure email gateways such as Z1 SecureMail Gateway are part of the established state of the art technology. They encrypt personal information in a highly automated process when sending emails, thereby ensuring integrity and confidentiality are preserved in an otherwise completely unprotected medium. For the transmission of large files a secure managed file transfer solution such as our Z1 SecureHub is required. Not only does this have appeal as a web-based portal, it can also be integrated into other applications such as customer portals or securely send large files directly from the email program.
With Z1 solutions the availability and capacity of systems relating to the processing of personal information is guaranteed very simply and efficiently over the long term. Furthermore, the secure transmission of all data is verifiable at any time.
It may not always be obvious, but very often server-based email encryption and secure file transfer can be an easy and efficient way to meet the GDPR requirements.
Get in touch and request your use case for GDPR-compliant email encryption and secure file transfer right now.
Click here for more info on the GDPR: