An Introduction to EU GDPR Email Requirements

Strictly speaking, specific GDPR email requirements do not exist. This is because compliance with the General Data Protection Regulation applies to all methods used to collect, process, share or store EU citizens´ personal data, and not just email. However, as a considerable amount of personal data is communicated by email, it is worth looking at the requirements as if they applied to email exclusively. It is also worth discussing the mechanisms available to help entities comply with the requirements.

Consequently, this Introduction to EU GDPR email requirements discusses selected areas of GDPR and not the Regulation in its entirety. The full text of the General Data Protection Regulation (EU 2016/679) can be found on the European Commission’s website, or you can fast-track to sections of this article by clicking on the links below:

A Brief Guide to the General Data Protection Regulation

On 27th April 2016, the General Data Protection Regulation (GDPR) was adopted by the European Union. It became an enforceable regulation on 25th May 2018 and, unlike an EU Directive, it is not necessary for individual member states to pass national legislation before it becomes law. In one the biggest changes to the regulatory landscape of data privacy law, GDPR applies to all entities that have access to EU citizens´ personal data, regardless of their physical location around the globe.

The objective of GDPR is to give EU citizens more control over their personal data and to increase the security of their personal data while it is in the possession of others. In order to achieve this objective, the regulation stipulates how personal data of EU citizens can be collected, processed, shared or stored. With regard to GDPR email requirements, the key areas to consider are the “Lawful Basis for Processing”, “Individual Rights”, “Data Security” and “Proof of Compliance”.

Although no one area of the GDPR email compliance requirements is more important than another, being able to prove attempts have been made to comply with GDPR email requirements can be a mitigating factor should a breach of GDPR occur or an entity fail a GDPR audit. With penalties of up to €20 million or 4% of annual turnover (whichever is the greater), the more “Proof of Compliance” an entity has, the smaller the resulting penalty will be.

GDPR Email Requirements: Lawful Basis for Processing

This area of the GDPR email requirements has received the highest profile because of the impact it will have on email marketing. From the introduction of GDPR, companies and organizations that send marketing communications by email (promotions, newsletters, requests for donations, etc.) have to obtain the clear and unambiguous consent of the individual to whom they are sending the email. The individuals must also be clearly instructed on what their consent means and how it can be withdrawn.

Once consent has been obtained, there must be a lawful basis for processing the individual´s data. Only the minimum amount of data required to complete the process must be retained, and the data must be deleted once it is no longer required for its original purpose. This information (the lawful basis, the minimum required, and the length of retention) must be made available to each individual at the point consent is requested – along with details of third parties with whom the data may be shared.

This stipulation not only applies to marketing activities, but to any activity that involves collecting, processing, sharing or storing personal data – including employee databases. Effectively employers must justify what information they collect about employees and explain how it will be used. Employees have exactly the same “Individual Rights” (below) as consumers to examine personal data collected by their employers, rectify areas that are incorrect, or request the data is erased in part or in whole.

GDPR Email Compliance Requirements: Individual Rights

The Individual Rights section of the GDPR email compliance requirements has been dominated by the “right to forget” – or, officially, the “right of erasure”. With regard to email – and particularly email storage and retention – entities must have a facility to extract and delete every piece of data retained in their email databases relating to an individual in order to meet the email requirements for GDPR compliance. This facility will also be required in order to comply with:

  • The Right to be Informed – This right not only relates to the lawful basis, minimum required and length of retention information mentioned above, but also gives individuals the right to be informed of where their data was obtained from if it was not from the individual directly or with the appropriate consent.
  • The Right of Access – This right gives individuals to right to request access to their personal data and any supplementary information maintained about them to ensure it is accurate and is being used for the lawful purpose stated. The data must be presented to the individual in a format that is clear to understand.
  • The Right to Rectification – Individuals have the right to have inaccurate personal data rectified or incomplete data completed. This right should be welcomed by entities, who have an obligation under the GDPR “Accuracy Principle” to ensure any processed or retained personal data is up-to-date.
  • The Right of Erasure – The “right to be forgotten” entitles individuals to request the erasure of their personal data from entities´ databases, but only when certain circumstances apply. It is important entities are aware of the circumstances, and have mechanisms in place to comply with requests.
  • The Right to Object to or Restrict Data Processing – Individuals have the right to object to or restrict data processing with necessarily request their personal data is erased. Such a scenario may exist for example if the customer of a bank did not want the bank to use their data for profiling, but wished to remain a customer of the bank.
  • The Right to Data Portability – the right to data portability is the right of an individual to request their personal data in a “commonly used and machine readable format” in order to provide it to another entity. The original data does not necessarily have to be erased unless it is specifically requested.

In addition to understanding the circumstances in which Individual Rights apply, and implementing mechanisms to facilitate individuals´ requests, entities must develop policies and procedures that address how requests will be handed and what checks will be conducted to ensure requests are genuine. These tasks – and tasks relating to “Data Security” and “Proof of Compliance” – should be assigned to a Data Protection Officer, who can be an existing employee or an outsourced service.

GDPR Email Compliance Requirements: Data Security

Section 2 of GDPR states entities must “protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data.” With regard to GDPR email compliance requirements, this section is very similar to the data security measures required by HIPAA, Sarbanes-Oxley and the Federal Rules of Civil Procedure.

For entities unfamiliar with these regulatory Acts, all personal data and supplementary information – whether maintain in email format or not – must be secured against loss, theft, unauthorized disclosure or unauthorized alteration. In order to comply with the GDPR email requirements, this will require entities to store email correspondence in a secure location and implement a system of encryption – not only while emails are at rest, but also when they are in transit between servers, users and archives.

To comply with the GDPR email requirements relating to unauthorized alteration, whatever system is implemented to archive emails must exactly copy each email as it enters or leaves the entity´s mail server. Systems used for email archiving for GDPR compliance must also create an audit trail of access to archived data that records when access occurred, who accessed data, and what activities were performed. The audit trail must be indexed and searchable in order to identify unauthorized access.

GDPR Email Requirements: Proof of Compliance

Like the regulatory Acts mentions above, the GDPR email regulations not only require that appropriate mechanisms, policies and procedures are put in place to protect the integrity of individuals´ personal data, but also that it can be proved an entity is complying with the GDPR email regulations. To comply with this area of GDPR, the Data Protection Officer must chronicle every assessment and analysis, and the conclusions drawn from the analyses.

This requirement may be time-consuming, but it will contribute towards a reduction in a financial penalty imposed by the national regulator if a breach of personal data occurs, if a complaint is received from an individual about the misuse of their personal data, or if the entity fails an audit on other areas of compliance with the GDPR email requirements. Other factors that may influence the value of a financial penalty include:

  • The nature, gravity and duration of the breach/complaint/non-compliance.
  • The type(s) of personal data involved and steps taken to mitigate damage.
  • Whether the cause of the event was unforeseeable, intentional or negligent.
  • What technical and organizational measure were implemented to prevent the event.
  • Prior breaches, complaints and non-compliance and fines for such events.
  • The timely notification of a breach and subsequent cooperation with the regulator.

Protect More than Data with an Email Filtering Solution

Email is the number one entry point for malware, ransomware and phishing attacks that ultimately result in a data breach and the unauthorized disclosure of personal data. This entry point can be closed to cybercriminals with the implementation of an email filtering solution that includes effective mechanisms to identify unsolicited mail (spam). Furthermore, the implementation of an effective email filtering solution not only protects data, but protects the entity´s network from email borne threats.

In order to be effective, an email filter should achieve spam detection rates in excess of 99.9%, include antivirus software and the option to conduct HELO tests on inbound email in order to prevent “email spoofing” – the faking of an email header so the message appears to have originated from someone or somewhere other than the actual source. Spoofing is an increasingly-used tactic by cybercriminals because end-users are more likely to open an email if they believe it comes from a legitimate source.

HELO tests are often referred to as DMARC deployments (Domain-based Messaging, Authentication, Reporting and Conformance), and have historically been used by large enterprises and public-sector organizations due to the strain they can place on mail servers. However, as cloud-based email filtering solutions have become available, smaller entities can also take advantage of this security measure to better protect personal data and comply with the GDPR email requirements.

Secure Email Archiving for GDPR Compliance

Secure email archiving for GDPR compliance has the multiple benefits of protecting emails “against accidental or unlawful destruction or accidental loss”, helping to prevent unauthorized disclosure or unauthorized alteration, and providing a way in which entities can quickly extract personal data when requested to do so. In most cases, entities have a month in order to comply with personal data access and erasure requests. This may not be sufficient time to respond to a request if an entity has to search through numerous database backups to retrieve data.

However, inasmuch as secure email archiving for GDPR compliance is a better solution to meet the GDPR email compliance requirements than database backups, not all methods of secure email archiving for GDPR compliance are suitable for all entities. Large businesses with a significant volume of email traffic may find it difficult or costly to allocate sufficient storage space to archive every email. In practice every email will likely have to be archived, as every email contains metadata which can reveal personal data about the sender such as their IP address.

Therefore, the best solutions for secure email archiving for GDPR compliance are cloud-based solutions. These have the advantage of being quick to set up, easy to manage and infinitely scalability. Provided the archive service provider is able to demonstrate a level of security and accessibility that adheres to the GDPR requirements for email compliance, cloud-based secure email archiving for GDPR compliance can save entities time and money, reduce the load on the mail server (especially when a cloud-based email filtering solution is used), and minimize email-related demands on the entity´s IT resources.

Speak with TitanHQ for More Information

It is important to note this Introduction to EU GDPR email requirements is only an introduction. It would be impossible to incorporate the ninety-nine Articles of GDPR along with their implications into one article, and furthermore each entity covered by GDPR will likely have dissimilar requirements and dissimilar levels of preparedness. Unfortunately there is no one-size-fits-all solution to GDPR.

Although we have taken reasonable precautions to ensure the content of this article is accurate at the time of publication, it does not constitute legal advice. Entities concerned about the GDPR email compliance requirements should speak with their national regulator (for example the UK Information Commissioner´s Office), or – if located outside of Europe – speak with a GDPR attorney.

With regard to the mechanisms that can help entities comply with the GDPR requirements for email, do not hesitate to contact us if you would like further information about cloud-based email filters or cloud-based secure email archiving for GDPR compliance. Our Sales Technicians will be happy to answer your questions, and offer you the opportunity to take a free trial of our solutions in order that you may evaluate them in your own environment.