Print Article

The GDPR: How to send sensitive information by email


Organisations should always be concerned about the security of their email correspondences. After all, everyone has probably been guilty at least once of sending a message to the wrong person or accidentally hitting ‘reply all’.

If you’re lucky, your misdelivered message only revealed some mundane organisational processes and leave you feeling embarrassed.

But in many cases, the email will contain sensitive information – either in the body of the text or in an attachment, and this will have much more significant consequences than simply leaving you red-faced.

Depending on the nature of the compromised information, it could have severe financial or logistical effects on your business, pose nasty privacy ramifications for affected data subjects and expose your organisation to disciplinary action under the GDPR (General Data Protection Regulation).

Emails are a security risk

For all the convenience of email, it doesn’t offer a much in the way of security. Experts often compare it to posting a letter: you compose a message, provide a delivery address and hand it off to someone to deliver.

This creates a series of risks in addition to the threat that the message is send to the wrong person.

For example, a cyber criminal might have compromised your account in a phishing scam. With the right access, they could set up a system that would forward a copy of any email you sent to an email address they controlled, enabling them to spy on your messages.

That means that, even though the vast majority of messages you send may be totally innocuous, it only takes one email containing, for example, a list of customer records, for the fraudster to hit the jackpot.

And given that organisations receive almost 1,200 phishing emails each day, this is no small threat.

Similarly, employers should be concerned about misconfigurations on their email platforms. An error on the organisation’s email service could allow a criminal hacker to connect to the email network without authentication and then send emails seemingly as an employee.

They might do this to ask for a copy of a sensitive document, or to defraud the organisation – for example, by requesting that funds be transferred into an account that they control.

The threats posed by email are the reason many organisations still use fax machines. The technology might be incredibly outdated, but is has major information security benefits.

It obviously isn’t viable to use fax machines exclusively – or even to use them whenever you need to transfer sensitive data, not least because everyone you share the information with will also need a fax machine, which is becoming less likely by the year.

However, if you have partners with whom you regularly share legal documents with, for example, you might consider faxing this information.

An alternative solution – and one that’s easier to fit into the existing processes of your organisation and partners – is to look at new technologies that can strengthen email security.

Encryption and the Cloud

The GDPR doesn’t recommend specific technologies (which is does to avoid becoming redundant as new systems emerge), but it does make multiple references to encryption. This is the process of locking information so that only approved users can access it.

Organisations that handle large volumes of sensitive data, such as the NHS, often use encrypted email, and some service providers, such as ProtonMail in Switzerland and Tutanota in Germany, offer encryption services.

However, for the majority of businesses, the technology will be unwieldy for email. For a start, the majority of messages don’t contain information that would need to be encrypted, so you’re using a lot of resources unnecessarily.

That’s why the Cloud is, in most cases, a better option. Individuals can upload attachments to an online folder and then send recipients a link. When the information is no longer needed, it can be deleted.

This last step is essential: despite what many people think, the Cloud isn’t an impenetrable fortress that automatically keeps all your information secure. It’s simply a server run by a third party that takes responsibility for keeping it secure.

However, under the GDPR, both your organisation and the service provider would be held to account for a breach, so it’s essential to remove information as soon as possible.


The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email