In 2016, the European Union adopted the most effective data protection mandate in decades, replacing an outdated set of guidelines that was last updated in 1995. Since its entry into force in May 2018, the General Data Protection Regulation ( GDPR ) has caused waves worldwide and companies have tried to understand in recent years what this means, how compliance can be ensured and how it can affect their operations.
The GDPR is currently recognized as a law across the EU and companies wishing to do business there need a thorough understanding of what it entails. The main aim of the regulation is to harmonize data protection laws throughout the region, to protect the data of EU citizens and to transform the approach of data protection to organizations across the region. GDPR advocates describe it as "the most important change in data protection regulations in the past 20 years" and state that "Art and how data is processed in all sectors, from healthcare to banking and beyond.
This description makes GDPR sound terrifyingly extensive - and in many ways it is. This comprehensive approach to data security means that, in contrast to HIPAA or DFARS , which only affect certain industries, GDPR requirements must be met by any organization that operates within the EU and the European Economic Area. The regulation is far-reaching, its scope is massive.
In other respects, the provisions that are enforced under the GDPR are both simple and straightforward. Similar to the other regulations in the USA, which are in force to a lesser extent, the GDPR only requires data protection "inherently and by default" for all IT business processes in which personal data is used. The regulation stipulates that those responsible for the processing of personal data must take "appropriate technical and organizational measures" to ensure the protection of this data - with considerable penalties for violations of the law.
And make no mistake: the penalties are severe. According to the GDPR, the penalties for loss , the change or the unauthorized disclosure of data amounts to up to 4% of the worldwide annual turnover or EUR 20 million - whichever is higher. This is a big change for every company and underlines the importance of compliance with the GDPR rules.
So what does that mean? Last but not least, this means that email encryption is a very, very good idea. Since the GDPR came into force, the encryption of e-mails with confidential personal data has generally been regarded as best practice for business operations. This should come as no surprise. Emails in Europe have the same vulnerabilities as emails in the US. E-mails that are not encrypted can be read by a number of different parties, including the company's IT administrator, Internet service providers, and cloud service e-mail providers. For this reason, sending unencrypted email with personal or confidential information from people under the GDPR is likely illegal.
Don't risk it. Why would you S/MIME certificate technology offers one simple and effective way to encrypt data and thereby authenticate both the sender and the content of an email. Although email certificates are not specifically required in GDPR, S/MIME is the easiest way to ensure that your email communication is still compatible. Emails that are protected by S/MIME remain encrypted from sending to opening so that they cannot be read during transmission. These messages and attachments also remain encrypted while they are stored on mail servers. This adds another layer of security that includes hibernation information.
For companies looking for an easy way to switch their email communications to GDPR compliance, there is no more comprehensive solution than S/MIME. The end-to-end encryption provided by S/MIME offers a simple and user-friendly approach to email security in all industries.