How does the GDPR affect email?

The GDPR requires organizations to protect personal data in all its forms. It also changes the rules of consent and strengthens people’s privacy rights. In this article, we’ll explain how to ensure GDPR email compliance.

Email users send over 122 work-related emails per day on average, and that number is expected to rise. While we may not think of email as subject to the European Union’s General Data Protection Regulation (GDPR), your mailbox in fact contains a trove of personal data. From names and email addresses to attachments and conversations about people, all could be covered by the GDPR’s strict new requirements on data protection.

Any organization (companies, charities, even micro-enterprises) that handles the personal information of EU citizens or residents is subject to the GDPR. That includes organizations not in the EU but that offer goods or services to people there. The requirements basically boil down to two things: secure people’s data, and make it easy for people to exercise control over their data. (Our “ What is the GDPR?” article provides an overview.) Those who don’t follow the rules can get hit with a fine of €20 million or 4 percent of global revenue, whichever is higher, plus compensation for damages.

While most of the focus regarding GDPR email requirements has centered around email marketing and spam, there are other aspects, such as email encryption and email safety, that are equally important for GDPR compliance. Below we’ll explain what the GDPR actually says and what it means for email.

Keep in mind that nothing you read here is a good substitute for legal advice. We recommend consulting with an attorney to understand how the GDPR applies to your specific situation.

GDPR encryption and security

What the GDPR says:

If you collect, store, or use the data of people in the EU, then the GDPR applies to you. And that means you may have an obligation to change the way your organization operates in some fundamental ways.

The GDPR requires “data protection by design and by default,” meaning organizations must always consider the data protection implications of any new or existing products or services. Article 5 of the GDPR lists the principles of data protection you must adhere to, including the adoption of appropriate technical measures to secure data. Encryption and pseudonymization are cited in the law as examples of technical measures you can use to minimize the potential damage in the event of a data breach.

What it means for email:

When it comes to email, encryption is the most feasible option. As little as five years ago, that would not have been true. But email encryption technology has developed rapidly, and several companies now offer end-to-end encrypted email service. Cloud-based, secure email is now a convenient and practical option. (Disclosure: GDPR.eu is run by Proton Mail, the world’s largest encrypted email service, and funded in part by the European Union’s Horizon 2020 Framework Programme.)

While encryption is not required, it is up to every organization to develop a rationale for developing the most appropriate data security practices.

Email retention under GDPR

What the GDPR says:

Data erasure is a large part of the GDPR. It is one of the six data protection principles: Article 5(e) states that personal data can be stored for “no longer than is necessary for the purposes for which the personal data are processed.” Data erasure is also one of the personal rights protected by the GDPR in Article 17, the famous “ right to be forgotten.” “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” There are some exceptions to this latter requirement, such as the public interest. But generally speaking, you have an obligation to erase personal data you no longer need.

What it means for email:

Many of us never delete emails. There are plenty of good reasons: We may need to refer to them someday as a record of our activities or even for possible litigation. But the more data you keep, the greater your liability if there’s a data breach. Moreover, the erasure of unneeded personal data is now required under European law. Because of the GDPR, you should periodically review your organization’s email retention policy with the goal of reducing the amount of data your employees store in their mailboxes. The regulation requires you to be able to show that you have a policy in place that balances your legitimate business interests against your data protection obligations under the GDPR.

From a technical standpoint, email data erasure can be quite simple and often it can be automated. Proton Mail and some other email services have an expiring email option that allows you to set messages for deletion after a designated length of time. Whatever email retention strategy your organization decides, it’s going to require some getting used to but will significantly lower your GDPR exposure.

Email marketing and spam

What the GDPR says:

Among the other data protection principles in Article 5 are “lawfulness, fairness, and transparency.” This means you can only use people’s data if it’s allowed under one of six legal justifications, it must be fair to the data subject, and it must be based on transparent and unambiguous communication with the data subject. (The “data subject,” by the way, is the identifiable person the data is about.)

There are six “lawful bases” for you to “process” (collect, store, use, etc.) people’s data. These are listed in Article 6. The first is consent, which must be obtained unambiguously and after a full explanation of what you plan to do with the data. Specifically: