Risk assessment: end-to-end encryption is a must

Companies across Europe are uncertain whether it is secure enough to encrypt emails with TLS (transport layer encryption) or whether end-to-end encryption must be used, at least when sensitive personal data is being sent. Recent developments in Denmark point in the direction that every company must have the ability to encrypt emails containing sensitive personal data end-to-end.

Denmark is the first EU country officially stating that companies must now protect sensitive personal data in emails with proper end-to-end encryption because of the GDPR.

Tue Goldschmieding, Partner at the Danish law firm Gorissen Federspiel, explains:

Though the Danish Data Protection Agency does not explicitly require end-to-end encryption when sending emails containing special categories of data, the recommendation is very firm and should be interpreted as a defacto requirement.

While the Danish regulators do not say that companies must use end-to-end encryption, they basically say that any company must come to this exact conclusion with their own risk assessment. While regulators in other European countries might be even less explicit, companies must keep in mind that the Danish interpretation is based on the same legislation that applies to all European countries: the GDPR.

Email encryption guarantees GDPR compliance

Given the heavy fines of 4% of sales volume, companies are on the safe side when sending all emails containing personal data end-to-end encrypted. Tutanota offers a very easy way to encrypt any email end-to-end to any recipient. With Tutanota's built-in encryption, no plugin or complicated encryption software is needed. Unlike other email services, Tutanota does not have access to your data or your encryption keys. On top of that, Tutanota comes with a flexible and fair pricing plan that suits every business.

The European General Data Protection Regulation (GDPR) (German: Datenschutzgrundverordnung DSGVO) highlights encryption as an appropriate technical measure to protect personal data. The new legislation states that encryption makes data unintelligible to any person who accesses the data in the case of a data breach.

By encrypting your emails end-to-end, your business makes sure to be compliant with the GDPR.

What Tutanota does to guarantee GDPR compliance in business emails

Tutanota protects all your business emails in four ways to guarantee GDPR compliance:

The entire mailbox is end-to-end encrypted. The encrypted data can only be accessed by your company. This includes all emails and all contact information (address book) stored in Tutanota. All data is stored encrypted on our own servers in highly secured data centers located in Germany. Tutanota encrypts all emails among your employees end-to-end. This makes it very easy for you to share personal information, e.g. about applicants or customers, internally via email. Tutanota enables you to send end-to-end encrypted emails to outside users with sharing a password. Tutanota enables you to place an encrypted contact form - Secure Connect - on your website so that people interested in your company can easily get in touch with you end-to-end encrypted. Of course, Tutanota provides an Order Processing Agreement with legally binding data protection guarantees to help you demonstrate your compliance with GDPR.

Tutanota offers an extensive business package

Tutanota is a secure email service that lets you access your encrypted mailbox at any time via webmail, via our Android and iOS apps, or via our desktop clients for Windows, Mac OS and Linux.

With its built-in end-to-end encryption, Tutanota enables you to make use of the advantages of the cloud (accessibility, cost efficiency, fast scalability, easy backup) while protecting from its disadvantages (security issues).

Tutanota for business enables you to:

Create an unlimited number of email accounts for all employees with your own domain(s).

Manage email accounts with administrators (reset passwords, disable accounts, etc.).

Add local administrators such as project managers, department chiefs etc.

Place a login on your website where your employees can login to their encrypted mailboxes.

Use your own branding (logo & colors) within your company's mailboxes.

Add a secure contact form to your website so that customers can directly contact you end-to-end encrypted.

Make unlimited use of our smart search feature that enables you to search your encrypted emails and contacts securely.

Start using our secure mail service now

Tutanota takes your email security to the next level with its built-in end-to-end encryption while it lets your business save money at the same time: With only €1 per user per month, Tutanota comes with affordable and flexible prices that suit the needs of every business.

If you want to integrate Tutanota into your enterprise, please get in touch with us directly. Our dedicated development team will be glad to adapt Tutanota to all your enterprises' needs quickly.

GDPR-compliant email service

What is a GDPR-compliant email service?

A GDPR-compliant email service must secure all data according to the requirements of the GDPR and offer a data processing agreement. The best choice for businesses is a secure email service that enables all employees to easily send end-to-end encrypted emails.

Background information on personal data in emails

Business emails contain a lot of personal data, particularly when your customers are private citizens.

Every business handles personal information via emails at some point: HR information about applicants or employees, payroll letters sent via email, and personal information about customers such as birthday congratulations are only a few examples.

Sensitive personal data often shared via email

In addition to this, for some professions handling a lot of personal information via email has become standard practice. These emails oftentimes contain very sensitive data.

Professionals such as head hunter services, journalists researching people and their private lives, lawyers or physicians communicating with their clients or patients via email, and many more must take extra steps to protect their email communication with and about their customers.

Why is standard TLS encryption not secure enough?

Standard emails are protected with so called TLS encryption. This transport encryption does not encrypt the content of the emails, but simply builds up an encrypted tunnel through which the emails are sent in plain text.

TLS encryption is not safe enough to protect emails with sensitive personal information. As emails are being sent via several different servers, the TLS encryption is decrypted at every server and then re-encrypted.