Why Secure Email
Sending traditional email has the confidentiality of a postcard.
The ICO (www.ico.org.uk) talk heavily about email encryption and why it should be used. We know from experience that many organisations send a lot of sensitive information about staff, contracts, mergers and IP information via email. Often this email is sent from online services such as Microsoft 365 and is stored, in the clear text, in the cloud. This means it is unprotected when it is in your cloud mailbox, and because cloud service providers do not warn you of attempts to access your online mailbox you never know if someone has got into your mail store!
Email is also a vehicle for data to be exfiltrated out of the organisation either deliberately or by mistake. Worse still you could breach compliance by sending via email information such as credit card numbers, banking details or PII data.
Although only mentioned four times in the regulations, encryption is a significant aspect of information flow, GDPR specifically identifies ‘encryption’ as a potential and appropriate technical measure to ensure the security of personal data.
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
GDPR is not prescriptive, it doesn’t define what is meant by encryption nor how it should be implemented. At the most basic level securing the transmission of data between your organisation and the recipient, the organisation is the baseline.
Transport Layer Security (TLS)
The Digital Pathways encryption Gateway provides support for the use of Transport Layer Security (TLS) as standard when emails are sent between organisations or individuals. If a user sends a secure email to an organisation it first checks to see if they are also using the solution if they are the email content is encrypted and the transmission, point to point is encrypted and the mail is delivered. If the end user is not using the system the email is encrypted but sent as secure webmail. The user is offered a link to receive the email and asked to sign into the service and they are then granted access to the email. Thereafter they will receive the email directly without needing to go to an online portal.
Whilst ‘encrypting’ the transmission channel is a laudable first step, it still leaves the content that you are sending in a readable format. True encryption of the content is a natural progression and one that GDPR again references specifically around the mitigation of breach notification requirements.
Article 34 states that a breach notification to individuals is mandatory where it is likely to “result in a risk for the rights and freedoms of individuals”. However, if you can show that you have protected personal data adequately the impact of a breach can be minimised and the potential obligations reduced:
“…the controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”
Digital Pathways Secure Email
Digital Pathways offers a cost-effective solution for secure email which is easily deployed and simple to use.
Digital Pathways Secure Email is available for many platforms and is scalable to meet any organisations needs.