From January 1, 2019, the Danish Data Protection Agency will tighten the security requirements for email communication of confidential and sensitive personal data in the private sector. Read on to find out what this means for your business.
GDPR. The four letters cannot have escaped the attention of many. It is, of course, the EU General Data Protection Regulation, which came into force on May 25, 2018.
In late July, the Danish Data Protection Agency, which administers and enforces the General Data Protection Regulation in Denmark, announced stricter practices in the private sector regarding the "transmission of confidential and sensitive personal information by e-mail via the Internet". The announcement was that encryption would be considered an "appropriate security measure" in the future.
Later, the Danish Data Protection Agency clarified the technical requirements for encryption, and a distinction is now made between encryption in the transport layer (TLS) and the more secure end-to-end encryption. When to use what, however, the Danish Data Protection Agency does not answer unambiguously, leaving many companies unsure of what requirements they actually have to meet in the new year.
At IT Forum Group, we are often contacted with questions about encryption. With GDPR, however, there are no quick answers. How encryption should be handled in each individual case is not only a technical question, it is just as much a legal and organizational question. And the starting point is always the data controller's own risk assessment in each case.
In the following, however, we'll give you a solid guide to help you make an informed decision about the need for encryption.
Email encryption - when?
The first question is simple: you need to encrypt your emails when they contain confidential and/or sensitive personal data.
Sensitive personal data is information about:
- Race or ethnic origin
- Political, religious or philosophical beliefs
- Trade union
- Genetic and biometric data
- Health and well-being
- Sexual relationships or sexual orientation
Confidential personal data is information about, among other things:
- CPR number
- Criminal offenses
- Other personal information that can commonly be required to be inaccessible to the public
The Danish Data Protection Agency writes more about personal data Here.
For businesses with some form of patient or client responsibility, there will typically be a lot of confidential and sensitive information to handle on an ongoing basis. For other types of companies, HR and personnel administration is where you need to pay particular attention. This could be information about social security numbers, health or trade union matters in connection with, for example, recruitment, staff development, sick leave agreements, or personnel matters.
Encrypting emails - how?
From January 1, 2019, emails containing confidential and/or sensitive personal data must at least be encrypted at the transport layer using so-called TLS encryption.
TLS (Transport Layer Security) creates a secure connection between the sender and the recipient's mail server, but does not protect the email once it is delivered to the recipient's mail server. If the TLS protocol is set up correctly, this encryption is easy to use in practice. However, you should be aware of technical limitations in certain situations where a TLS connection cannot be guaranteed.
An alternative is end-to-end encryption. This encrypts the message itself so that it can only be read if you have a key to decrypt with. End-to-end encryption is significantly more secure than TLS encryption, but requires administration when exchanging keys. This can be a disadvantage in everyday life.
The Danish Data Protection Agency mentions end-to-end encryption as appropriate in cases of "high risk for the data subjects", i.e. for the individuals to whom the confidential and sensitive personal data relates. When a risk is serious enough to be considered "high" is not elaborated on. However, a simple illustrative example is given: this is a high risk case "if a controller is required to send health information about a large number data subject to a data processor for the purpose of sending letters".
Our assessment is that end-to-end encryption is only necessary in special cases and that TLS encryption is otherwise sufficient - provided it is set up properly.
Read the Danish Data Protection Agency's guidance on transmission of personal data via email Here.
Risk assessment and 'appropriate' security measures
The DPA's wording may seem cryptic or vague. This is because the GDPR is based on a risk-based approach. Roughly speaking, this means that the higher the risk of confidential and sensitive personal data falling into the wrong hands, and the greater the harm it could cause to the individuals it relates to, the better the security measures required.
Any processing of sensitive and confidential personal data - including an email containing such information - should therefore start with a risk assessment: what is the risk of, for example, hacking, how many people does it affect and how serious could those consequences be?
Against this identified risk, "appropriate technical and organizational measures" must be implemented. It is worth noting that what is considered appropriate at a given time also depends on the technically possible solutions that exist at that time. The GDPR is therefore dynamic in the sense that it takes into account ongoing technical developments - for example, in encryption.
Which encryption solution should you choose?
There are a few systems that can handle all types of encryption for all types of recipients. However, they are expensive, and as we expect a lot of development in this area, we believe that for many companies it may be beneficial to wait before committing to an expensive total solution and instead look at how the company's current systems can be best utilized.
Several mail systems and firewalls can, with the right setup (and possibly an update or additional license), handle encryption at the transport layer as well as end-to-end encryption, but may need to be combined with a NemID solution if you also exchange confidential and sensitive personal data with public authorities.
The choice of a suitable encryption solution thus also depends on:
- Who to communicate securely with via email
- How often to communicate securely
- and how many employees should be able to handle the procedure
Contact us and get help!
We can't provide legal advice or precise instructions on when and what type of encryption should be used, but based on a review of your current IT setup and email system, we can advise on the different encryption solutions available and put together a solution that best meets your needs for secure communication in the easiest and cheapest way.
Contact us by phone +45 70 100 150 or via our contact form.