I am wondering if/when/how we should use encrypted e-mails at my company? In which cases could it be a necessary means to ensure some extra compliance in relation with the GDPR. Are there any general guidelines? Which information should entail encryption?
The EU GDPR in art. 23 – “Security of processing” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/) mentions encryption as a means to protect personal data. It also mentions that “appropriate technical and organisational measures “ need to be taken according to the risks involving a specific processing activity.
So, basically is up to the controllers and processors to determine which security measures they need to take. Coming back to the question whether an email should be encrypted or not you would need to think about the content of your emails. Basically emails that contain large amounts of personal data should be encrypted as well as emails containing sensitive personal data.