I have been fielding a number of requests for information with regards to email “encryption” and "how can we encrypt our emails". Of the 261 pages of GDPR, the word 'Encryption' appears just 4 times as follows
"...implement measures to mitigate those risks, such as encryption." (P51. (83))
"...appropriate safeguards, which may include encryption" (P121 (4.e))
"...including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data." (P160 (1a))
"...unintelligible to any person who is not authorised to access it, such as encryption" (P163 (3a))
Does the term 'may', 'such as' and 'as appropriate' indicate that Encryption is mandated by GDPR, as some are suggesting? I don't believe it does. Do these terms suggest that Encryption is an OPTION and a good idea? Then yes, it does.
Emails are more like plain text postcards because in many cases they can, in theory, be read at any of the many servers through which they pass, or by someone “tapping a line”. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers, it is rare but it does happen.
A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.
There are organisations that have encrypted email services, the NHS has nhs.net email accounts and some practices are migrating to Office 365 both of which give you access to encrypted email solutions but that doesn’t help everyone and lots of people want to carry on using their existing email addresses.
Some people do choose external secure email services to send emails using their current email address, often recipients will get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You may have to export the email if you want to keep a copy. Secure email services will also often provide plug-ins for Gmail and the Microsoft Outlook email programs that provide secure email services so that your encrypted email and day to day email are kept in the same environment.
In conclusion there are a number of ways to send protected messages. Most of which require some change in the way that users send messages. Methods such as nhs.net email, Office 365, sending info via password protected documents and zip files (although make sure you use a different medium to give recipients the password, and remember protection and encryption are two very different things) or using a 3rd party encryption add ons such as our Secure Email service all allow you to send protected or encrypted messages.
The way I read GDPR & email encryption is that it says to use appropriate measures for the information you are transmitting, some messages are fine sent your traditional way, some require appropriate levels of encryption and possibly pseudonymisation but there isn’t a one solution fits all answer to email encryption, there certainly isn't one single standard of encryption and you don't need to encrypt every email you send.