The GDPR: How to send sensitive information by email

Organisations always have to worry about the security of the information they send by email. You can never be certain who has access to your messages, and everyone has probably been guilty at least once of sending a message to the wrong person or accidentally hitting ‘reply all’. 

Your misdelivered message might have only contained mundane chatter and left you feeling embarrassed. However, if your email contained sensitive information, this sort of mistake could be a data breach and a violation of the EU GDPR (General Data Protection Regulation). 

The problem with email

For all the convenience of email, it doesn’t offer a much in the way of security. Experts often compare sending emails to posting letters: you compose a message and a delivery address, and then hand it off to someone else to deliver. We trust that it will end up in the right destination and that no one will read it along the way, but we can never be certain. 

These problems are the reason many organisations still use fax machines. The technology might be incredibly outdated, but it’s a lot more secure than email. However, this solution only works if you and the person you are dealing with both still have fax machines, which is becoming less likely by the year. 

You might consider using fax machines if you already do so anyway, but we wouldn’t recommend its widespread re-adoption. Instead, we’d urge organisations to look at new technologies that are compatible with their existing processes. 


The GDPR doesn’t recommend many specific technologies (to avoid becoming redundant as new tech emerges), but it does make multiple references to encryption. This is the process of locking information so that only approved users can access it. 

However, the technology has largely proven unwieldy for email. Most exchanges don’t need to be encrypted and it would make the process dauntingly complex for many people. Organisations that handle large volumes of sensitive data, such as the NHS, often use encrypted email, and some service providers, such as ProtonMail in Switzerland and Tutanota in Germany, offer encryption services. However, unless there’s a specific need for it, there’s a simpler solution available. 

The Cloud

The Cloud is a much better option for sharing sensitive information. Individuals can upload attachments to the Cloud and then send recipients a link. When the information is no longer needed, it can be deleted. 

This last step is essential: despite what many people think, the Cloud isn’t an impenetrable fortress that automatically keeps all your information secure. It’s simply a server run by a third party that takes responsibility for keeping it secure. However, under the GDPR, both your organisation and the service provider would be held to account for a breach, so it’s essential to remove information as quickly as possible. 

Organisations can do their part to stay secure by encrypting the information before uploading it to the Cloud. Current best practices state that data should be encrypted whenever it is in transit. 

Mitigate your risk of data breach or GDPR violation by educating employees on the risks of using email

Prevent misuse or unauthorised processing of personal data by embedding a culture of security awareness throughout your organisation with our staff awareness training.

Find out more >>

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.