On 26 May 2020, the German Data Protection Authorities (German DPAs) issued guidelines on measures to protect personal data transferred via email (Guidelines; available in Germen here). The Guidelines outline requirements for procedures to send and receive emails that must be met by data controllers, data processors and public email service providers (Email Service Providers) to comply with Art. 5(1)(f), 25 and 32(1) of the General Data Protection Regulation (GDPR).

Sending emails containing personal data

Data controllers and processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the data processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of the data subjects concerned.
Continue Reading Encryption of emails containing personal data – the German supervisory authorities issue guidance

The UK Information Commissioner’s Office (ICO) has released updated guidance on the use of encryption. The guidance highlights that in many areas, the ICO expects encryption software to be used, and in the future where data breaches occur and encryption has not been used, “regulatory action may be pursued”.

Although the term “encryption” is not found in the UK’s Data Protection Act 1998, the requirement to implement the technique for certain types of data is derived from the obligation to implement “appropriate technical and organisational measures” to protect against loss, destruction or damage to personal data. The guidance makes clear that while it is not necessary or possible to encrypt all personal data, organisations must take a risk-based approach to using the technique.
Continue Reading New Encryption Guidance Published by the ICO