Why email entails major risks under the GDPR

In 2017 more than 10.000 data leaks occurred. More than half of these leaks was caused by human error. 

The moment data is leaked or hacked, criminals can start using the data. When large-scale leaks occur, data abuse almost never happens immediately for all the data affected. Even if hackers do not do anything with your data, there is always the risk that others will.

As we saw above, personal data can be leaked on a large scale due to external errors. However, a leak could also be caused within your own organisation by one of your own employees.



Thea works at a large regional hospital. Every month, she sends a database to an external supplier so that they can produce a management report. This database contains various types of personal data and other privacy-sensitive information. That includes names and Citizen Service Numbers, but also Diagnosis and Treatment Combination codes and referrals for further treatment. To send this extensive quantity of data, most of which is sensitive, Thea has several options at her disposal. She could send this data in small chunks by ‘normal’ email, send a USB memory stick by post, or use a public file transfer service.

And then things go wrong. Thea decides to send the email through Outlook, as she always does. She types ‘Ro’ and the email program auto-completes the name. She presses ‘send’ and the email is out of her hands. However, the data is not sent to Robert at the external IT service provider, but to Rose from the home care organisation, who Thea often emails.

A huge database of sensitive information is now exposed, causing incalculable damage. Just by selecting the wrong recipient, Thea provided ‘unauthorised’ access. All the people involved must now be notified, and the CISO of the hospital has to report the data leak to the Dutch Data Protection Authority.



Such data incidents are commonplace in many organisations, but many stay hidden under the radar. The cause of these incidents is usually twofold. On the one hand, employees are not aware of the consequences of their actions. On the other hand, organisations often do not have proper systems in place to safely send emails and files.


Five reasons why email leaks are virtually unavoidable
Email is one of the most common ways to communicate within organisations, and at the same time also one of the most error-prone. How is it possible that security leaks are so often caused by email? Read more about the five most common reasons below.

1. Email is not properly protected by default

Many organisations fail to secure their email by default, which means email is usually sent unencrypted. That means that everyone who receives this email can also read it – including people who get these emails by accident.

Attachments are often also not secure either, even though Excel workbooks, Word documents and PDF files can easily be password-protected. For security reasons, the users should not send the passwords to the receiver by email but in a different way (for instance by text message). In practice, virtually no one does that, probably because it takes more time.


2. Email is untraceable

Suppose you want to send an email to your colleague, Ms Jansen. After you have clicked send, you realise that you have accidentally sent that email to another person named Jansen... who works for a different organisation. From that moment on, the problem is out of your control. No one can find out what happens to the information contained in that email. Will the email be deleted without being read, or will it be forwarded?

This is a huge problem in actual practice. Once you can no longer identify everyone who has seen that information, you no longer have any control over it. In many cases, there are no options for cancelling emails that are sent by mistake. Let alone technical options for figuring out where the data went from there.


3. Internal emails get less attention

A leak is also easily created within your own organisation. Several employees are discussing a treatment plan for a patient. The entire organisation is added in the CC, and suddenly everyone knows the details of the patient’s medical history.

The risk of sensitive information ending up in the streets is much lower when using internal email. Unfortunately, that restriction is not a criterion in the eyes of the law: an email containing sensitive information should always be sent securely, even if that email stays within the organisation.


4. Standard email boxes are easy to hack

It can happen to a government minister or to the Democratic Party in the USA, so why couldn’t it happen to you? An email account is hacked. This often happens because the security measures are insufficient. The email account of our own Minister Kamp was hacked by means of a phishing attempt. Sometimes computer criminals gain access to an email account because it has a weak password or because two-factor authentication has not been used. If someone gains unauthorised access to the inbox, you don’t want them to immediately gain access to all the information contained in your inbox.


Malicious parties use other ways to abuse email. One such example is spoofing. An attacker copies the email address of someone in your organisation and sends emails from that address. Someone working in the financial department receives an invoice that seems like it came from a member of the Board of Directors, and pays it as requested. In reality, this invoice was sent by a criminal – who controls the bank account on the invoice. Taking proper security measures makes it possible to prevent these types of attacks.


5. Employees are not aware of the importance of using secure email

The average employee receives dozens of emails every day. Email has become a reflex; we no longer think about what we’re doing when we send and receive email messages. This means that employees communicate the most banal matters (such as announcing that there’s cake by the coffee machine because it’s John’s birthday) in nearly the same way as they divulge client information or deliver a new purchase contract. Employees are not aware that they need to handle sensitive information differently than other email. Virtually all data leaks involving email are the result of that unawareness. In reality, people the weakest link and the cause of nearly all leaks by email.


Should email even still be used in your organisation?

Reading this might make you think that we advocate banning the use of all email within organisations. That is most certainly not the case. However, in view of the GDPR, it is key to carefully consider how you can improve data security in internal and external email within your organisation.


Technical tips for handling email more securely:

  • Encrypt your emails effectively by default. This will ensure that just you and the person you are communicating with can read the emails.
  • Make sure that only the intended recipients have access to the information.
  • Use software that warns you if an email seems to be sent to the wrong person.
  • Provide an option to cancel a message if something goes wrong.


Create awareness regarding privacy and GDPR

Awareness regarding privacy and GDPR is a security layer that includes vital organisational and technical measures. The reason that it is so important is because 46% of all data leaks are caused by employees handling sensitive data carelessly. But how do you resolve that problem? In this e-book, we provide an answer to this question and offer some practical tips.


Comfort Safe Communications

Zivver Listed as a Representative Vendor in Gartner's 2020 Market Guide for Email Security

LONDON and AMSTERDAM – Zivver, a leading secure digital communication provider, announced today that it has been identified as a Representative Vendor for Email Data Protection Specialists in Gartner's 2020 Market Guide for Email Security. […]

Read more
Rick Goud

My promotion from CEO to CIO

I am proud to announce that I have handed over the CEO reins of Zivver to Wouter Klinkhamer. In my new position as CIO I will focus more on where my passion and strength lies: innovation and translating problems into solutions with technology. The new Zivver Meet service for safe video calling is a good example of how quickly we can innovate and is therefore a nice […]

Read more
London bridge lights moving quickly

How to safeguard data and comply with the GDPR and similar legislation

With the GDPR in effect for some time now, organizations must ensure that their products, services and processes are GDPR compliant as well. The optimal way to do this with current and future business initiatives is by establishing a culture of privacy by design and default in your organization, as well as perform a privacy impact assessment (PIA) as needed. We like to […]

Read more
London bridge lights moving quickly

How to safeguard data and comply with the GDPR and similar legislation

With the GDPR in effect for some time now, organizations must ensure that their products, services and processes are GDPR compliant as well. The optimal way to do this with current and future business initiatives is by establishing a culture of privacy by design and default in your organization, as well as perform a privacy impact assessment (PIA) as needed. We like to […]

Read more

5 top GDPR compliance challenges, and what you can do about them

If your organization is struggling to comply with data protection regulations such as the GDPR, you can take some comfort in knowing you’re definitely not alone. Some studies have shown close to half of companies in many countries are not fully compliant with their national data protection requirements. But what are the compliance challenges these companies are […]

Read more

General Data Protection Regulation (GDPR) vs California Consumer Privacy Act (CCPA)

In a recent blog post we explained how the California Consumer Privacy Act (CCPA) went into effect on the 1st of January, 2020, after it was signed into law in 2018. This consumer protection legislation, the most robust yet in the United States, was essentially modelled after the General Data Protection Regulation (GDPR) in the European Union, which went into effect in […]

Read more