The GDPR: How to send sensitive information by email

Organisations should always be concerned about the security of their email correspondences. After all, everyone has probably been guilty at least once of sending a message to the wrong person or accidentally hitting ‘reply all’. 

If you’re lucky, your misdelivered message only revealed some mundane organisational processes and leave you feeling embarrassed.

But in many cases, the email will contain sensitive information – either in the body of the text or in an attachment, and this will have much more significant consequences than simply leaving you red-faced.

Depending on the nature of the compromised information, it could have severe financial or logistical effects on your business, pose nasty privacy ramifications for affected data subjects and expose your organisation to disciplinary action under the GDPR (General Data Protection Regulation)

Emails are a security risk

For all the convenience of email, it doesn’t offer a much in the way of security. Experts often compare it to posting a letter: you compose a message, provide a delivery address and hand it off to someone to deliver.

This creates a series of risks in addition to the threat that the message is send to the wrong person.

For example, a cyber criminal might have compromised your account in a phishing scam. With the right access, they could set up a system that would forward a copy of any email you sent to an email address they controlled, enabling them to spy on your messages.

That means that, even though the vast majority of messages you send may be totally innocuous, it only takes one email containing, for example, a list of customer records, for the fraudster to hit the jackpot.

And given that organisations receive almost 1,200 phishing emails each day, this is no small threat.

Similarly, employers should be concerned about misconfigurations on their email platforms. An error on the organisation’s email service could allow a criminal hacker to connect to the email network without authentication and then send emails seemingly as an employee.

They might do this to ask for a copy of a sensitive document, or to defraud the organisation – for example, by requesting that funds be transferred into an account that they control.

The threats posed by email are the reason many organisations still use fax machines. The technology might be incredibly outdated, but is has major information security benefits.

It obviously isn’t viable to use fax machines exclusively – or even to use them whenever you need to transfer sensitive data, not least because everyone you share the information with will also need a fax machine, which is becoming less likely by the year.

However, if you have partners with whom you regularly share legal documents with, for example, you might consider faxing this information.

An alternative solution – and one that’s easier to fit into the existing processes of your organisation and partners – is to look at new technologies that can strengthen email security.

Encryption and the Cloud

The GDPR doesn’t recommend specific technologies (which is does to avoid becoming redundant as new systems emerge), but it does make multiple references to encryption. This is the process of locking information so that only approved users can access it. 

Organisations that handle large volumes of sensitive data, such as the NHS, often use encrypted email, and some service providers, such as ProtonMail in Switzerland and Tutanota in Germany, offer encryption services.

However, for the majority of businesses, the technology will be unwieldy for email. For a start, the majority of messages don’t contain information that would need to be encrypted, so you’re using a lot of resources unnecessarily.

That’s why the Cloud is, in most cases, a better option. Individuals can upload attachments to an online folder and then send recipients a link. When the information is no longer needed, it can be deleted. 

This last step is essential: despite what many people think, the Cloud isn’t an impenetrable fortress that automatically keeps all your information secure. It’s simply a server run by a third party that takes responsibility for keeping it secure.

However, under the GDPR, both your organisation and the service provider would be held to account for a breach, so it’s essential to remove information as soon as possible. 

Educate employees on the risks of using email

Misuse of Cc and Bcc when emailing

You can reduce the rise of employees breaching information via email by embedding a culture of security awareness throughout your organisation.

Our Email Misuse Staff Awareness E-Learning Course teaches your staff everything they need to know about email security.

This quick course covers the essentials of secure emailing, including refreshers on CC and BCC and how to identify sensitive information in email.

A version of this blog was originally published on 13 August 2018.

One Response

  1. Chris Cooper 17th December 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.