GDPR email requirements for security and retention
GDPR is not only about how you handle data but what data and how you store it. Along with compliance, that means email archive optimization, since all unused messages and contacts will have to be removed. When working with a third-party mailing service, make certain that they are compliant with these policies as well.
Ensuring encryption and security of personal data
Strictly speaking, GDPR does not list encryption as one of the mandatory practices but mentions it in several chapters of the regulation as an additional measure to mitigate security threats. You need to protect any personal information you collect, store, and interact with from unauthorized access and tampering. And encryption is one of the most reliable ways to safely transmit and store data.
There is a website that keeps track of GDPR fines with issue reasons. You can look at records under the corresponding article Art. 32 (1) (b) to see that the financial penalty is quite serious.
Keep in mind that hackers might try attacking even from within your company: most commonly, by sending out phishing emails to your employees hoping to steal their login credentials.
- To match the external security measures, hold regular trainings on the prevention of cyberattacks.
- Add two-factor authentication to your staff login process.
- Consider introducing special technologies to conceal client data while still making it available for marketing managers like masking replaces some of the numbers and letters with asterisks. (John D** instead of a John Doe) and replaces names and numbers with artificial identifiers (De2f-7 instead of John Doe).
Retaining emails for a limited period and purpose
GDPR doesn’t give any exact information on how long you should retain emails. However, it does state that you must only keep any personal data for as long as it serves the original purpose. You should introduce an email retention policy or revisit your existing one to check that you are not keeping excessive amounts of data that can put you at risk. Consider archiving software to set automated retention rules and don’t forget to keep track of other retention period guidelines legally enforced for your industry.