How to send sensitive data in a GDPR-compliant manner
In many companies, hundreds of e-mails are sent every day - and this is not always in compliance with data protection regulations. When email encryption is mandatory and what you need to look out for.
Since the General Data Protection Regulation (GDPR) came into force, particular care must be taken when handling sensitive data. E-mail communication is no exception.
However, it has long been mandatory to encrypt certain emails: the Federal Data Protection Act, the predecessor of the GDPR, already required companies to do so. However, according to a study by Deutschland sicher im Netz (DsiN), only 16 percent of the companies surveyed in Germany did so in 2016. But when is it necessary to encrypt an e-mail?
When do you need to encrypt emails?
Basically, it's like with the mail: You don't print a salary statement on a postcard. You would only send information that you don't want others to read in a letter with an envelope - in other words, virtually encrypted.
According to the GDPR, employees don't have to encrypt every email they send during working hours. "Only emails with particularly sensitive data must be encrypted. This applies to personnel data and business secrets," says Nabil Alsabah from the digital association Bitkom. According to Article 9, Paragraph 1 GDPR, this also includes other personal data, such as:
or information about the health of an employee or customer.
If such unencrypted e-mails fall into the wrong hands and sensitive data is published, this not only damages the company's image, but can also result in heavy fines.
Do employees have to encrypt internal mails?
Alsabah: "It always depends on a company's IT infrastructure. And endpoint security settings also play a role." Are PCs equipped with anti-virus protection? Are emails sent over a secure connection?
If an e-mail box or PC is freely accessible and not password-protected, employees must also take special care not to send sensitive data. This also applies to messages sent automatically, such as pay slips. You should always keep in mind:
Outsiders involved in email transmission can get at internal data if you don't protect it adequately. This includes your e-mail provider.
How to encrypt e-mails?
Common e-mail programs usually have a function for encrypting e-mails. The most common way to encrypt e-mails is content encryption. The sender, recipient and subject of the message remain unencrypted. Only the content becomes unreadable to outsiders by transforming normal text into a non-contiguous sequence of characters. After the email arrives, it is automatically decrypted by the program and is then readable.
Caution: Once decrypted, mail programs archive the message unencrypted. Other users with your password could then access it. Alsabah warns, "Just because you encrypt the emails doesn't mean strangers wouldn't have access to them if they stole the hard drive, for example."
Here's how it works:
Mr. Müller uses his e-mail program to create a code, a so-called "key", and shares it with all the people from whom he expects encrypted e-mails. He does not have to keep this code secret. According to Alsabah, one public key may even be in Mr. Müller's e-mail signature, so that anyone can send him encrypted messages.
The second, private key is created automatically by Mr. Müller's e-mail program. Only his program has this key; it is not passed on. If someone now writes an e-mail to Mr. Müller using the public key, the text is sent unreadable. As soon as Mr. Müller receives the message, his e-mail program decrypts it using the private key. "The underlying mathematical procedures guarantee that protected messages can thus only be deciphered with the private key," Alsabah says.
So if you want to send an encrypted e-mail, you need to know the recipient's public key.
What good are pre-installed programs from the e-mail provider?
The good news is that you don't have to buy an expensive program to securely encrypt email. "Depending on the encryption method, email programs support encryption features out of the box or after installing a plug-in," Alsabah says. It doesn't matter which program you use. "Common encryption methods are standardized. That means there should be no qualitative differences in encryption between different programs."
With email providers like Outlook, GMX and Gmail, you can install free add-ons to create public keys and receive encrypted emails.
Do anti-virus programs work with encrypted emails?
Yes. Since your e-mail program automatically decrypts the e-mails, an anti-virus program (if it exists) then checks the message for security.
What should you do now?
First, you should check with your email provider and find out how to use it to encrypt your messages - of course, the data protection officer can do that, too. Then use your e-mail program to create a public and a private key. You share the public key with your contacts. You can also link the public key file in your mail signature.
Don't forget to explain to your employees exactly which emails they need to send encrypted and how this works.