Protecting data in emails: 7 key measures for GDPR-compliant communication

In hospitals, public authorities and businesses, sensitive data is sent by email every day – often unencrypted and without traceability. Yet even email addresses are considered personal data under the General Data Protection Regulation (GDPR), and the content of emails is often even more sensitive.

This article explains when unprotected emails fail to comply with GDPR requirements, and what organisations can do to ensure their communication is secure, traceable and legally compliant – including a practical checklist for everyday use.

Why does the GDPR apply to email communication?

The GDPR protects personal data – and this includes not only medical records or ID details, but also basic email addresses containing real names, such as max.muster@company.com. The content of email messages, file attachments, subject lines and even metadata (e.g. timestamps, IP addresses) may also contain sensitive information.

Sending such information in plain text poses a significant data protection risk. Emails are essentially the digital equivalent of a postcard: the content can be read, copied or misdirected while in transit. In addition, there is often little control over later access, storage duration or deletion.

As a result, companies, public authorities and other organisations are required under Article 32 of the GDPR to protect personal data using appropriate technical and organisational measures (TOMs). These include:

• Encryption during transmission and storage

• Access restrictions and role-based permissions

• Documentation and traceability of email communication

In addition, Article 5 of the GDPR stipulates that data must only be processed for clearly defined purposes and may not be stored for longer than necessary.

The GDPR is further supplemented by national regulations such as the Federal Data Protection Act (BDSG) in the employment context, and the Telecommunications Digital Services Data Protection Act (TDDDG), which protects the confidentiality of digital communication.

Data protection and email: Common mistakes – and why they matter

Many data protection breaches in day-to-day professional life do not occur out of malice, but as a result of routine or a lack of proper processes. The GDPR’s requirements are often overlooked or underestimated when it comes to email communication. The following are some of the most common weaknesses:

• Open email distribution lists (CC instead of BCC): Using CC to send emails to multiple recipients exposes all email addresses to everyone on the list – a clear breach of GDPR. This is especially critical when communicating with citizens, patients or external partners.

• Sending sensitive content without encryption: Health data, contracts or internal documents are often sent as attachments without any form of encryption. If such an email is sent to the wrong recipient or intercepted, it constitutes a serious violation of data protection regulations.

• Forwarding to private email accounts: Many people forward work emails to personal accounts such as Gmail or GMX without authorisation. This is problematic from a data protection perspective, particularly if sensitive information is involved. It also results in organisations losing control over the data flow.

• Lack of traceability: Without delivery logs or access records, it is impossible to prove when and by whom an email was received or opened. These gaps make it difficult to fulfil the GDPR’s accountability requirement.

• No deletion policy: Emails containing personal data are often stored indefinitely – in inboxes, archive systems or backups. This contradicts the GDPR principle of storage limitation (Article 5).

These mistakes are often systemic. To ensure GDPR-compliant email communication, organisations need clear processes, defined policies and technical support. The following checklist shows how this can be achieved.

Checklist: Sending GDPR-compliant emails

Anyone who sends personal data via email bears responsibility. The GDPR sets out clear requirements. This checklist outlines the measures organisations should implement to ensure they remain on the safe side:

1. Use BCC instead of CC in distribution lists

Protect recipients' email addresses by always using the BCC field when sending bulk emails – especially to external contacts. This keeps recipient addresses confidential. Make sure this rule is documented in your organisation’s email policy.

2. Never send sensitive content in plain text

Personal data such as contracts, health information or invoices should only be sent via a secure connection – at a minimum with transport encryption, ideally end-to-end encrypted. Establish binding encryption rules based on the sensitivity of the content, and integrate suitable data protection tools into existing systems like Outlook.

3. Clearly define rules for forwarding to private mailboxes

Business emails should never be forwarded to private accounts such as Gmail or GMX. Doing so results in a loss of control over sensitive data. Make it clear that official communication must take place exclusively via secured, company-managed accounts – and enforce this technically wherever possible.

4. Document sending and access

In the event of a dispute, organisations must be able to prove when an email was sent, received or opened. Use tools that automatically log this information. Ensure that logs are tamper-proof and can be exported when needed – for example, during internal audits or in response to complaints from data protection authorities.

5. Restrict access – not everyone needs to see everything

Define who is allowed to send which types of data by email, what must be encrypted, and which tools are to be used. Establish written policies that assign responsibilities (e.g. an internal data protection guideline) and set up role-based access controls. This ensures that only authorised individuals can access sensitive information, and that the tools used meet defined security standards.

6. Set up automated deletion periods

Personal data may only be stored for as long as necessary for its intended purpose. However, emails containing sensitive information often remain in inboxes for years due to a lack of clear rules on how long they should be retained or when they should be deleted or archived.

Define clear retention periods for emails containing personal data. Then implement automated deletion or archiving processes at the technical level. Regularly audit inboxes to identify and remove outdated content that should have been deleted long ago.

7. Raise employee awareness

Last but not least: even the best technology is only effective when used correctly. That’s why employees should receive regular training on data protection risks in email communication – as a mandatory part of onboarding and through ongoing awareness sessions. Use short, practical examples or quick-reference guides to explain: What may or may not be sent via email? What type of encryption is required?

💡 Tip: Choose solutions that integrate seamlessly with existing tools like Outlook – this makes data protection practical and easy to implement, rather than a barrier to everyday work.

Communicating via email in compliance with GDPR – with FTAPI SecuMails

FTAPI SecuMails helps companies, public authorities and other organisations send emails securely, in encrypted form and with full traceability. Whether via a web interface or directly from Outlook – fully GDPR-compliant and without media disruptions. The solution integrates seamlessly into existing workflows and requires no additional software on the recipient’s side.

How it works:

• Simply compose your email
  Write your message as usual – either in Outlook or in your browser. Files can be attached directly.

• Select the appropriate security level
  Before sending, the sender chooses the required level of protection based on the sensitivity of the content: from a simple download link (Level 1) to end-to-end encryption with access control (Level 4).

• Sending and access are automatically logged
  Delivery, email openings and file downloads are fully traceable if needed – offering greater transparency and accountability.

• Control access and validity
  Senders can define how long content remains accessible. After the expiry period, data is automatically deleted.

FTAPI thus meets all the requirements for GDPR-compliant email encryption – including logging and access control – without creating extra effort for users.

In addition, FTAPI will soon support certificate-based encryption: public authorities and companies in regulated industries will be able to encrypt and decrypt their inbound and outbound email communication using an add-on for SecuMails based on the established S/MIME standard, including digital signatures.

This enables a wide range of use cases to be handled securely in one solution – transforming email, a traditionally risky medium, into a secure and fully traceable communication channel.

Conclusion: Email data protection needs clear rules – and practical solutions

At the end of the day, email is indispensable in professional life – but without safeguards, it poses a considerable data protection risk. Everyday mistakes like using open distribution lists, sending unencrypted attachments, or forwarding emails to private accounts can lead to costly GDPR violations.

To prevent this, organisations need clear internal policies, technical support – and solutions that integrate smoothly into existing processes. After all, not everyone in the organisation is an IT expert – and that’s exactly why email data protection must be easy to implement.

FTAPI SecuMails makes that possible: send emails securely – directly from Outlook, encrypted and traceable. No training required, no additional software for recipients, but full control over security, access and logging.