Secure Email - How To Encrypt and Sign Emails
NOTE. It is your responsibility as the data controller to make sure that you process customer data responsibly. Bricksite recommends that you familiarize yourself thoroughly with the concepts in this guide.
You may be able to, but are you allowed to send personal data in an email? Of course you are. You just have to ensure:
That you notify your customers what data you send over email and the legal basis of the data processing. Write this in your website's Privacy Policy.
Pay special attention to sensitive personal data which require a "double legal basis": This means that in addition to writing it in your privacy policy you must also ask for express consent from your users if you wish to send health data and so on over email.
That you process data securely — familiarize yourself thoroughly with this guide.
It is a requirement from the European Data Protection Authority that you use transport encryption, TLS 1.2, whenever you send personal data through email as a minimum. Make sure to use the secure email setup with you email client.
The requirements for Secure Mail can be found at sikkerdigital.dk.
From the Data Protection Regulation Art. 9 (1) 10. Sensitive personal data are: racial or ethnic origin, political, religious or philosophical beliefs or trade union affiliation as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health information or information about a physical person's sexual relationship or sexual orientation ... Criminal convictions and offenses ...
Make sure to enable two-factor verification (2FA) on your email account. This makes it very difficult for hackers to gain access to your emails, and you are able to prove that you have taken step to ensure a proper level of security.
When the Data Protection Agencies mention encryption, they are talking about several different things. The first is called transport encryption and the second content encryption. If you encrypt with both methods at the same time, then we are talking about double encryption. In addition, you can also digitally sign your emails with a digital signature (such as MitID) so the recipient knows that you as the sender are a real and legitimate person, because the signature can not be forged.
When you send an email it is sent over an internet connection that anyone can monitor. Transport encryption means that you put the email in a digitally sealed envelope that noone but you and the receiver can open. In addition, there is also Content Encryption. As the name suggests, the actual contents inside the envelope are written in secret code, which only the recipient understands. You can thus achieve the greatest protection - but also the most hassle - by doing both things at the same time.
Bricksite's email solution supports transport encryption by default. In fact, we have disabled many of the old insecure standards in our mail solution so that you do not get a false sense of security when sending emails. However this also means that you cannot use Bricksite's email solution with old email clients that are not up to date with the latest security standards. We opt for this as we want to support you in making your work as easy as possible, but without going overboard with your safety. This way you can be sure that the connection between you and our systems is encrypted; and if the connection is not secure, then your email client will warn you and refuse to send the email.
If you use our Webmail you do not need to do anything.
If you use an email client, ensure that you use the secure email setup.
Content encryption is a bit more cumbersome — for you and the recipient of the email. However, it may be necessary if you send sensitive or confidential personal data (including social security numbers and health data). The easiest method is simply to send password-protected PDF files.
Write your message in a word processor.
Press Save As or Export as PDF and then save as PDF and set a password.
Attach the file to your email and send it.
The password for the PDF file is handed to the customer separately.
Never state the code in the same email, but send it separately as an SMS, phone call, or hand out the code in person in a sealed envelope. Never use identifying information or sensitive personal data as the password; this includes the customer's birthday and social security number.
There is a number of methods to digitally sign your emails, such OpenPGP, but they can be challenging to use, and it will often not make much of a difference to the recipient at the moment. There is a rapid technological progression in this field right now, so it may be that something more user-friendly will come about within the next few years.
Bricksite Mail integrates directly with Mailvelope, which works with Google Chrome, Firefox, and Edge. It may be used to encrypt and sign emails directly through the webmail. Remember to export a copy of your private and public key and save it in a safe place, as you may otherwise permanently lose access to read your own emails encrypted with that key pair.
Remember to insert a checkbox in your contact form that the user must acknowledge to have read your privacy policy to send a message.
TLS 1.0–1.2 and STARTTLS - [note, phasing out older versions TLS 1.0–1.1 soon].
SSLv3 and below are disabled.
SPF is set up by default on your mail solution with us.
DKIM and DMARC are possible, but must be set up manually by you.
Ask for DNSSEC activation at customer service.
Supports encryption with OpenGPG through Mailvelope.
What Am I Allowed To Do?
You may be able to, but are you allowed to send personal data in an email? Of course you are. You just have to ensure:
That you notify your customers what data you send over email and the legal basis of the data processing. Write this in your website's Privacy Policy.
Pay special attention to sensitive personal data which require a "double legal basis": This means that in addition to writing it in your privacy policy you must also ask for express consent from your users if you wish to send health data and so on over email.
That you process data securely — familiarize yourself thoroughly with this guide.
It is a requirement from the European Data Protection Authority that you use transport encryption, TLS 1.2, whenever you send personal data through email as a minimum. Make sure to use the secure email setup with you email client.
The requirements for Secure Mail can be found at sikkerdigital.dk.
From the Data Protection Regulation Art. 9 (1) 10. Sensitive personal data are: racial or ethnic origin, political, religious or philosophical beliefs or trade union affiliation as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health information or information about a physical person's sexual relationship or sexual orientation ... Criminal convictions and offenses ...
Two-Factor Verification (2FA)
Make sure to enable two-factor verification (2FA) on your email account. This makes it very difficult for hackers to gain access to your emails, and you are able to prove that you have taken step to ensure a proper level of security.
Encryption
When the Data Protection Agencies mention encryption, they are talking about several different things. The first is called transport encryption and the second content encryption. If you encrypt with both methods at the same time, then we are talking about double encryption. In addition, you can also digitally sign your emails with a digital signature (such as MitID) so the recipient knows that you as the sender are a real and legitimate person, because the signature can not be forged.
When you send an email it is sent over an internet connection that anyone can monitor. Transport encryption means that you put the email in a digitally sealed envelope that noone but you and the receiver can open. In addition, there is also Content Encryption. As the name suggests, the actual contents inside the envelope are written in secret code, which only the recipient understands. You can thus achieve the greatest protection - but also the most hassle - by doing both things at the same time.
Bricksite's email solution supports transport encryption by default. In fact, we have disabled many of the old insecure standards in our mail solution so that you do not get a false sense of security when sending emails. However this also means that you cannot use Bricksite's email solution with old email clients that are not up to date with the latest security standards. We opt for this as we want to support you in making your work as easy as possible, but without going overboard with your safety. This way you can be sure that the connection between you and our systems is encrypted; and if the connection is not secure, then your email client will warn you and refuse to send the email.
Transport Encryption
If you use our Webmail you do not need to do anything.
If you use an email client, ensure that you use the secure email setup.
Content Encryption
Content encryption is a bit more cumbersome — for you and the recipient of the email. However, it may be necessary if you send sensitive or confidential personal data (including social security numbers and health data). The easiest method is simply to send password-protected PDF files.
Write your message in a word processor.
Press Save As or Export as PDF and then save as PDF and set a password.
Attach the file to your email and send it.
The password for the PDF file is handed to the customer separately.
Never state the code in the same email, but send it separately as an SMS, phone call, or hand out the code in person in a sealed envelope. Never use identifying information or sensitive personal data as the password; this includes the customer's birthday and social security number.
Digital Signature
There is a number of methods to digitally sign your emails, such OpenPGP, but they can be challenging to use, and it will often not make much of a difference to the recipient at the moment. There is a rapid technological progression in this field right now, so it may be that something more user-friendly will come about within the next few years.
Bricksite Mail integrates directly with Mailvelope, which works with Google Chrome, Firefox, and Edge. It may be used to encrypt and sign emails directly through the webmail. Remember to export a copy of your private and public key and save it in a safe place, as you may otherwise permanently lose access to read your own emails encrypted with that key pair.
Privacy Policy
Remember to insert a checkbox in your contact form that the user must acknowledge to have read your privacy policy to send a message.
Security Specification (Advanced)
TLS 1.0–1.2 and STARTTLS - [note, phasing out older versions TLS 1.0–1.1 soon].
SSLv3 and below are disabled.
SPF is set up by default on your mail solution with us.
DKIM and DMARC are possible, but must be set up manually by you.
Ask for DNSSEC activation at customer service.
Supports encryption with OpenGPG through Mailvelope.
Updated on: 23/08/2022
Thank you!