GDPR & Email: Retention, Security, Marketing & More
With 50 major fines (and counting!) issued since May 2018 for a grand total of €371,569,143, the seriousness of the General Data Protection Regulation (GDPR) cannot be overstated. In order to avoid steep fines and other civil penalties as a result of GDPR non-compliance, organizations around the world need to be more mindful of how they handle, process and store data — including email.
What is GDPR?
Implemented on May 25, 2018, GDPR is a European Union (EU) regulation designed to protect the personal data of citizens of the EU and the greater European Economic Area and to enable citizens to exert more control over how their data is used.
According to Article 4 of GDPR, personal data refers to “any information relating to an identified or identifiable natural person (‘data subject’).” A natural person, for that matter, is anyone “who can be identified, directly or indirectly, in particular by reference to an identifier,” such as a name, location name or identification number.
GDPR was created to replace the Data Protection Directive, which the European Parliament enacted in 1995. Although the Data Protection Directive was advanced for its time, it was insufficient for the digital age and did not adequately address how data is stored, collected and transferred. Additionally, the Data Protection Directive was not consistently applied to and adopted by all 28 members of the EU; instead, each country was free to adapt the law to suit the needs of its citizens. GDPR rectifies this by using more updated language, implementing a stronger framework and requiring universal compliance with its provisions.
It’s important to note that even if your organization isn’t based in the EU, if you have any customers or business partners that are, you’re still subject to GDPR. Keep reading to learn what that means for your emails.
How Does GDPR Affect Email?
Although GDPR does not include any specific language pertaining to email, email is one of the most common forms of handling personal data, meaning it is absolutely subject to GDPR provisions and compliance. Given the fact that the average employee sends and receives around 126 business emails per day — that’s a lot of data, including personal data, going back and forth — it’s vital that you implement company-wide email policies to ensure compliance.
GDPR & Email Retention
One thing that frequently comes up with GDPR is the concept of processing personal data. In this context, processing refers to a “wide range of operations performed on personal data,” including collection, alteration and, of course, storage.
Article 5(1)(e) of GDPR states specifically that personal data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Emphasis here on “no longer than necessary” — it’s a good idea to get in the habit of erasing personal data when your organization no longer has a need for it.
As far as email is concerned, this can be easier said than done. Employees might not know what constitutes personal data or might simply forget to delete emails containing personal data; in either case, this leaves your company vulnerable to GDPR non-compliance or worse, should you experience a data breach. Additionally, certain emails might need to be saved in order to create an audit trail or so that they can be reproduced in the event of an eDiscovery request or pending litigation.
For the former, be sure to create strong GDPR email retention policies for your organization and ensure that your employees faithfully observe them. For the latter, it’s best practice to invest in an email archiving platform so that you can safely store business-critical emails for longer periods of time. (More on GDPR and email security momentarily).
Another thing to keep in mind with GDPR and email retention is the right to be forgotten; this refers to a data subject’s “right to obtain from the controller the erasure of personal data containing him or her without undue delay.” There are any number of situations in which a data subject reserves the right to be forgotten (for a full list, please refer to Article 17). Failure to erase a data subject’s personal data without “undue delay” following such a request could land your organization in hot water.
Finally, there’s the actual matter of erasure. As with all things related to GDPR, the process of erasing personal data is also strictly regulated. In order to remain compliant, when disposing of data, you must either delete or anonymize it. The former is fairly straightforward: To delete data, you must completely erase all physical and digital copies of it. This can be easier said than done with digital data, so be diligent about going through old files and archives to eliminate every trace of it.
Anonymization, by comparison, is slightly more confusing. Anonymized data refers to “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Seems simple enough to understand, right? The challenge here is that many organizations mistakenly conflate anonymization with pseudonymization — that is, “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Use the wrong one, and you’re at risk of non-compliance.
In order to protect your organization, it’s best practice to include specific instructions on how employees are to dispose of data in your GDPR email retention policy.
GDPR & Email Security
Let’s revisit Article 5 of GDPR, with particular attention to Article 5(1)(f), which states that personal data shall be:
“… processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
This emphasis on data protection is reinforced in Articles 25 and 34, which address data protection by design and by default and communication of a personal data breach to the data subject, respectively. Ultimately, what all of this means is that, under GDPR, organizations are expected to do everything within their power to safeguard personal data, to promptly notify subjects in the event of a breach and to take measures to minimize any damage caused by a breach.
Email is a popular but especially vulnerable form of communication. According to one survey, 94% of organizations stated that email is their top security vulnerability. In order to protect your customers’ personal data from falling into the wrong hands — and to avoid non-compliance — it’s important to implement strong data security policies within your organization and to invest in a secure email service. Gain much-needed peace of mind by looking for a provider that offers email encryption (especially end-to-end encryption) and two-factor authentication and that observes strict privacy laws.
GDPR & Email Marketing
Email marketing: For many organizations, it’s a means to an end and a necessary evil. But is it technically GDPR-compliant?
Despite concern from some sources that GDPR would be the “death of email marketing,” that couldn’t further from the case. What GDPR did do was change the way organizations approach email marketing in order to ensure that, per Article 5, all personal data is “processed lawfully, fairly and in a transparent manner.” Article 6 expands on this, clarifying what it means to lawfully process data, and states that processing is only lawful if:
- The data subject has given their consent
- Processing is necessary for the performance of a contract to which the data subject is party
- Processing is necessary for compliance with a legal obligation to which the controller is subject
- Processing is necessary to protect the vital interests of the data subject
- Processing is necessary for the performance of a task carried out in the public interest
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party
As far as email marketing is concerned, the first item on this list — “the data subject has given their consent” — is the most important. Email marketing is completely kosher under GDPR so long as you clearly present your customers with the option to opt into and, per Article 13, out of email marketing campaigns. The only ways you risk running into trouble is if you send your customers marketing emails that they didn’t sign up for or if you don’t give them the option to unsubscribe.
GDPR & Email Archiving
We touched upon it briefly under “GDPR & Email Retention,” but let’s circle back around to GDPR and email archiving. An email archiving solution is essential to any successful GDPR compliance strategy because it provides you with a centralized, secure location to store and catalog all emails, including those that contain personal data.
From end-to-end encryption to custom role-based permissions, many archiving platforms include a wide range of security features designed to create a tamper-proof, GDPR-compliant record of email correspondence. Certain solutions even offer advanced search capabilities so that, should you need to dispose of personal data for any reason, you can easily locate the exact files you’re looking for.
If you’re looking for an email archiving solution for GDPR compliance, why not give Intradyn a try? Our Email Archiving Solution offers robust security, advanced search and a number of other features and functionalities designed not only for GDPR compliance, but also compliance with other major regulations and legislation. Or, if you need more than just email archiving, check out our All-in-One Archiving Solution, which also offers social media and SMS/text message archiving.
Find out what Intradyn can do for you today — contact us to get started.