Is Email Encryption a Requirement in the Wake of GDPR?


Thought Leadership

Is Email Encryption a Requirement in the Wake of GDPR?

Noah Webster

GDPR is a regulatory framework rather than a strict set of laws. Each country in the European Union is free to interpret that framework when writing its own specific laws. Consequently, the exact rules around data protection and privacy will be a little (or a lot) different all across Europe.
Denmark is a good example. Beginning in 2019, any business with customers or partners in Denmark must encrypt all emails containing sensitive personal data. GDPR itself identifies encryption as an appropriate measure to take but does not require it.
For companies that interact with customers or partners in Denmark and throughout Europe, the question is whether they should have varying policies or go the extra mile to use the same privacy measures, even if those safeguards aren’t required in other countries. Businesses scrambled to get compliant in the run-up to GDPR. Unfortunately, the goal line is moving. As governments at all levels begin to tackle the major issues of data protection and privacy, new laws will hit the books. The detailed requirements of those rules may be much different.

Strictest Requirement v. Risk-Assessment Approach

Compliance will become more difficult to manage, particularly when various mandates conflict with or contradict one another. Worse, new regulations levy hefty fines for noncompliance, meaning compliance is getting costlier and more complex at the same time. Even companies with the resources to manage international compliance might find the effort overwhelming.
The relatively simple approach may be to consider the strictest laws as the international standards. For instance, companies could implement a universal policy to encrypt emails that include sensitive information, and by having the most rigorous protections in place early, companies become broadly compliant with any present or future regulations. Essentially, complexity and confusion are replaced by certainty and confidence.
Adopting the strictest interpretation isn’t necessarily feasible for all businesses, however. If the cost of compliance is markedly higher than the revenue a company receives from its business in Denmark, it may make sense — at least in the short term — to pull out of the country and pause doing business there.
The majority of companies, after all, are small- and medium-size businesses (SMBs) that have more limited resources and should focus their efforts on priorities that have the greatest impact. Even the large enterprises often have to balance the costs of security and privacy with the overall business strategy. Refining a security program to accommodate the strictest requirement should not be considered a mandatory blanket approach — at least not yet.
The litmus test should be based on core principles. Even with different rules, a few core principles — like consent, anonymization, and encryption — are common under various privacy laws. Where the strictest requirement approach lines up with a core principle, there is a stronger case for instituting the approach (rather than pulling out of a given country or pursuing some other action that seeks to avoid the requirement). The cost and effort would likely pay dividends across a company’s entire program, with greater freedom to operate and better preparation for other laws that may come later.

A Comprehensive Approach With Zix

Regulators are increasingly requiring encryption, because it serves as a last line of defense. It ensures that data is inaccessible and incomprehensible even if it’s stolen, kind of like cash locked in a safe. Even if someone obtains unauthorized access to the safe, they still can’t open it without the key. Because encryption serves as a last line of defense, it’s considered a crucial component of any cybersecurity strategy.
GDPR does not mandate the use of encryption, but encryption is named as an appropriate safeguard in this and other regulations. Instead of pursuing a patchwork approach to cybersecurity and regulatory compliance, encryption allows companies to meet varied legal obligations with one solution.
ZixEncrypt is part of our superior suite of email security solutions. It makes email encryption automatic and compliance consistent. Using policy-based filters, ZixEncrypt secures emails that contain sensitive or regulated information — not just with GDPR but with many regulations, such as HIPAA.
Ease of use is one of the advantages that sets our solution apart from others. Zix aims to make compliance and encryption simple and straightforward. That is why encryption is automatically applied to emails that need it. Users don’t have to worry about sensitive information being sent out unprotected with Zix. Equally important, ZixEncrypt delivers secure emails in the most convenient method for recipients, making email encryption seamless and preventing users from working around the security measures in place.
Non-compliance is becoming one of the biggest risks today’s companies face. By addressing it with a stricter or risk-assessment approach, companies not only have an easier path to satisfy regulations, but they also can proactively protect their customers, proprietary data, and bottom lines.