Risks and Countermeasures of Sending Personal Data by Email - What Are They?

Sending personal data via traditional email is insecure since any data travelling over the internet unencrypted can be intercepted or hacked.

Should such scenario occur, those sensitive information can automatically taken and a breach is imminent. With GDPR now a major part of data security, there are regulations around the safety of sending of personal data via email.

1. What measures can be taken and what does this mean for business data breach?
2. How can one adequately secure the communication of personal data?

GDPR does not does not provide specific measures regarding sending personal data via email to avoid regular updates to the regulation and the law or countermeasure implementations.
Primarily of interest is an area of section 32 which states that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

This also extends to take into consideration; inter alia as appropriate:

• (a) the pseudonymisation and encryption of personal data;
• (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

Technical measures are left to the discretion and responsibility of the data processor of the personal data.

Sending an email to one person with just data for that one person has different bearing to sending bulk data containing data of multiple persons, In the latter case, more protection is required. Where it’s impracticable to use alternate means for sending large amount of personal data then a Data Protection Impact Assessment may be required to mitigate against pending risks.

So what options are available as countermeasures for sending personal data via email?

• Use a secure portal.
• Enclose the data in an encrypted .ZIP file

Using a secure portal.

Use a portal that require users to logs securely thereby reducing the risk of data being intercepted by an intermediary.

Enclose the data in an encrypted .ZIP file

This approach involves enclosing the data within a password-protected zip file and email it to the recipient. Ensure password is sent via a different communication medium such as messaging systems (WhatsApp, SMS or phone call).


Conclusion
There are numerous cyber security threats and measures that can benefit business in an effort to protect data access or security breaches. Each solution is different and the criteria for implementation will require an understanding of existing / future business practices and threat mitigation approach based on the business needs, threat severity and level of exposure.

What security measures have you put in place as a solution for cyber security risk?