In 2016, the European Union adopted the most impactful data protection mandate in decades, replacing an outdated set of guidelines last updated in 1995. Since it went into enforcement in May 2018, the General Data Protection Regulation (GDPR) has made waves throughout the world, and organizations have spent the past several years trying to understand what it means, how to remain compliant, and how their operations might be affected.
GDPR is currently recognized as law throughout the EU, and organizations wishing to do business there will need a comprehensive understand of what it entails. At its core, the regulation is designed to harmonize data privacy laws throughout the region, protect the data of EU citizens, and reshape the way organizations throughout the region approach data privacy. Proponents of GDPR call it “the most important change in data privacy regulation in 20 years,” noting that it will “fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond.”
This description makes GDPR sound frighteningly large in scope—and in many ways, it is. This broad approach to data security means that unlike HIPAA or DFARS, which impact only specific industries, GDPR regulations must be adhered to by any organization operating within the EU and the European Economic Area. The regulation is sweeping, its area of effect massive.
In other ways, though, the regulations enforced under GDPR are both simple and straightforward. Similar to those other, smaller-scale regulations found in the U.S., GDPR simply requires data protection “by design and by default” for all business IT processes involving personal data. The regulation states that controllers of personal data must put in place “appropriate technical and organizational measures” to ensure that this data is protected—with significant penalties in store violators.
And make no mistake: the penalties are severe. Under GDPR, the penalties for loss, alteration, or unauthorized disclosure of data can range as high as 4% of global annual revenue or €20 million—whichever is higher. This is a major chunk of change for any organization, underscoring the importance of compliance with GDPR rules.
So, what does this mean? If nothing else, it means email encryption is a very, very good idea. Since GDPR went into effect, encrypting email containing sensitive personal data has been widely considered a best practice of businesses operations. This should come as no surprise—email in Europe carries the same vulnerabilities as email in the U.S., and unencrypted email is readable by a number of different parties, including the enterprise IT administrator, the internet service provider, and the cloud service mail provider. Because of this, sending unencrypted email with individuals’ personal or sensitive information is likely illegal under GDPR.
Don’t risk it. Why would you? S/MIME technology serves as a simple and effective way to encrypt data while authenticating both the sender and contents of an email. Although email certificates are not specifically called for in GDPR, S/MIME is the most straightforward way to ensure that your email communications remain compliant. Emails protected by S/MIME remain encrypted from the moment they are sent until the moment they are opened, ensuring that they cannot be read in transit. These messages and attachments also remain encrypted while stored on mail servers, adding another layer of security that covers at-rest information.
For organizations looking for an easy way to bring their email communications into GDPR compliance, there simply isn’t a more comprehensive solution than S/MIME. The end-to-end encryption that S/MIME provides offers a straightforward and user-friendly approach to email security across any industry.
Previous blogs in this series