The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will govern the storage and processing of data rather than its collection. It also includes some very important consumer rights. The most important are the right to be informed, the right of access, the right to correct errors, the right to erase data, the right to restrict processing, and the right take it elsewhere (data portability). How useful these will be in practice remains to be seen.
Emails are like plain text postcards because they can, in theory, be read at any of the many servers through which they pass, or by someone tapping a line. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers.
A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.
It would obviously be good thing if all emails were encrypted by default so that only the intended recipient could read them. Three decades of history says this isn’t going to happen soon even though it would help secure investments and asset protection information, if at all. Public key encryption is too hard for people who just want to send normal emails.
Some large organisations do have encrypted email services, such as the NHS, but that doesn’t help the rest of us.
Some people do choose secure email services, such as ProtonMail in Switzerland and Tutanota in Germany. However, you also have to send external recipients a password – for example, in an SMS text message – to decrypt the email.
Tutanota users get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You have to export the email if you want to keep a copy.
There are also plug-ins for Gmail and the Microsoft Outlook email program that provide secure email services. If one of your employers is using a secure system, they might let you join in.
If there’s no other alternative, you should encrypt and password-protect your images and documents before sending them as email attachments. Again, you must send the password separately, either via a different messaging service or in the post.
Online storage locations
It’s a good idea to upload attachments and then send people a link. However, bear in mind that you are uploading documents to the company that probably runs the biggest surveillance operation on the planet. Encrypt your documents before you upload them.
Encryption protects data if an online storage service is compromised – it has happened – or if your email is hacked.
Unfortunately, using Google Drive brings up an extra complication. If you are using Gmail, then you can assume that your data is being held in, or passing through by arizona bus company, or accessible from the USA.
GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.
In another post, the aforementioned Liz Henderson explains how to create a GDPR Privacy Notice, and you could adapt her sample to cover Gmail storage outside the EU.
You could switch to using an email service that operates wholly within the EU (see above), if only for any people who opt out, or you could upgrade to Google’s paid-for service.
Google claims that its G Suite and Google Cloud Platform (GCP) services are fully compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment. The fine print notes that “the parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data” and that “Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services”.