Recently, we’ve been asked by a few people if Paubox is compliant with GDPR, so we put together this post to clarify a few points.
If you’ve been following the headlines, then you may have heard about something called GDPR – possibly the biggest change to European data privacy and security in years.
On May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) will take effect and any company processes the personal data of an individual residing in the EU when data is accessed must comply with GDPR.
So what does that mean for US based companies, data security, and email encryption?
GDPR impact on US based businesses
As a US based company, if you pursue business in the EU, or actively engage in tracking and collecting information about EU residents online – then GDPR applies to you.
If your US based business processes personal data of EU residents (even if no financial transaction has taken place), then GDPR likely will apply to your company. This applies even if you have no physical presence in the EU.
Is email encryption required to be compliant with GDPR?
If your organization does need to comply with GDPR, then it will be time to re-look at your email security to make sure it’s updated.
Personal data under GDPR includes email addresses and phone numbers – things very commonly used for marketing and client communications. The biggest thing for organizations will be getting clear and explicit consent from individuals to obtain and use their email.
Once a company has that data, they need to have established security measures in place to protect that data.
GDPR does NOT require the use of email encryption, in fact the word “encryption” only appears four times in the policy.
But it does state that organizations should implement appropriate technical measures to insure a level of security appropriate to the risk.
This can be interpreted to mean that email encryption should be implemented where possible when sending any personal data as defined by GDPR.
For example – while a customer may consent to be sent email marketing newsletters – the protection of their data housed in servers should be secure. If for some reason data needs to be exported and emailed to a consultant or even internally, then it’s appropriate that the email be encrypted and protected in transit.
While GDPR doesn’t explicitly state email encryption is mandatory – it’s important to assess how your organization is using personal data and implement the appropriate security measures.
Paubox can help keep emails secure and encrypted in transit without the hassle of portals, keeping the personal data you’re sending safe and secure. Click here to learn more and start a free 14-day trial.