LEGAL REQUIREMENTS 26. SEP 2018
Are my TLS-encrypted emails EU GDPR compliant?
The quick answer is: Sort of! – Spontaneously encrypting with TLS only works to a certain degree. There is a high risk of not encrypting, even though you believe your email is TLS-encrypted. As a rule, neither sender nor recipient can verify whether an email has been encrypted with TLS or not. Depending on the email content, this can lead to awkward inquiries since, according to the European Union General Data Protection Regulation (EU GDPR), you must be able to verify that personal data is encrypted (cf. chapter 2, article 4, paragraphs 1 and 2).
Principles relating to processing of personal data
(1) Personal data shall be: …
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
(2) The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
Verifying TLS encryption is, however, complicated. You also have to have a backup solution in case TLS is not available or is only available in an older, non-secure version. Theoretically, TLS encryption is EU GDPR compliant, but it is difficult to work with and usually cannot be controlled by senders.
But let’s start at the beginning: What in the world is TLS?
TLS stands for Transport Layer Security. This means that only the transmission channels between two SMTP servers are encrypted, but not the emails themselves. It’s as if your data packages travel through a secure tunnel from one SMTP server to the next until they reach the recipient. But at every stopover your emails can be clearly read if they have not been S/MIME or OpenPGP encrypted prior to sending. Ergo, the transfer stations are usually not secure. Server administrators have access to email content that travels over their server.
Does TLS provide sufficiently secure encryption?
According to the German Federal Office for Information Security (BSI), only TLS versions 1.2 or newer are secure (December 2014). Since EU GDPR requires encryption via up-to-date technology, only TLS 1.2 or higher is acceptable. Failing to provide this minimum of security compromises the communications security of all correspondents.
The responsibility for TLS lies with IT administration. Servers must be appropriately configured and have an integrated TLS-supporting certificate. Optimally, certificates should be issued by an official trust center to avoid the risk of man-in-the-middle (MITM) attacks.
Once correctly installed, TLS runs smoothly until…
- a personally generated certificate is rejected by a destination device.,
- a certificate expires.
- a configuration is updated in-house.
- the destination device updates a configuration.
- a server is replaced.
- someone begins asking pointed questions.
Properly configuring TLS: Optional vs. Mandatory
Since, in email communication, successful delivery of emails has so far been regarded as more important than email security, “Optional TLS” is the default setting on servers. This setting encrypts whenever possible, and when it’s not, it doesn’t.
To comply with EU GDPR using TLS, the setting must be reconfigured to “mandatory TLS”. This setting encrypts all emails. If encryption is not possible, the email cannot be sent. Which sends us looking for an alternative. Our Z1 SecureMail Gateway provides effortless email privacy compliance. It runs in the background and processes the email traffic of your entire company according to predefined rules. A variety of encryption methods ensures secure communication with all recipients.
In a nutshell: TLS and EU GDPR
When it comes to routine communication between two parties, TLS can be a viable alternative to VPN as long as the administrators are in agreement.
For spontaneous email communication with a broad range of contacts, as is the case in B2C enterprises or personnel departments, TLS is not an option as it provides neither consistent, workhorse security nor is it EU GPDR compliant. Alternatives work with so-called password-based encryption methods.