30 Jan 2018
Getting Security And Privacy In Email Right
30 Jan 2018
How many times have we said that email has the highest ROI, or that it’s the most effective marketing channel? It even looks like we have some kind of secret master plan to trick everyone into using email… 🤔
Subtle marketing techniques aside, the truth is email is a quick, cheap and highly customizable way to contact customers. But of course, as a business working with personal data, you know that privacy and security are not things to be taken lightly. Protecting sensitive information and preventing hacks or leaks is key.
That’s why email has to be secure, to ensure all of this data is safe and only available to those with the rights to access it.
“Phishing and spoofing are huge threats in the email world today. It’s incredibly important to ensure you have set all possible protections to prevent spoofing.”
– Lauren Meyer, VP of Delivery & Head of North American Operations at Mailjet
With data protection and data security constantly in the news, and GDPR coming into effect in May, email privacy and security is as crucial as ever.
Keeping your email data private and safe
Laws around the world regulate the use of emails. There are obviously the different spam laws, which differ from country to country and that you need to know them and ensure you’re following the ones that apply wherever you’re operating.
But there are also transnational agreements, signed between countries or supranational entities (like the EU), to help companies establish themselves abroad, and comply with local laws. Among the agreements you’ll need to be familiar with, and ensure you comply where appropriate, the key one for those with European contacts is the EU General Data Protection Regulation (or GDPR).
GDPR was passed in 2016. It strengthens the current European regulations regarding data security within the EU members estates. Any company, organization, association and administration, should it be a private or a public one (that is, any structure with access to personal data) will have to comply with GDPR, starting May 25, 2018. European companies, but also non-European companies with EU customers, will have to make sure that only mandatory data that is relevant to their activities is collected.
They will also have to ensure that the physical servers where the data is stored are safe and under protection. Any data transfer out of the EU will be done under strict rules. If a company fails to comply with these new rules, it can be sanctioned with a fine equal to up to 4% of its yearly turnover, or 20 million euros, whichever is higher. Under this new EU rule, all personal data will be subject to the highest security, so consumers can trustfully interact with companies.
But this doesn’t just mean that you have to ensure your own business complies with GDPR, it also means that any third-party solutions you work with have to be GDPR-compliant too. This, obviously, includes your email service provider, so it’s key to choose wisely (spoiler alert: read on to find out why Mailjet is a good choice 😉).
Data security is a big deal in Europe, so before starting your operations on EU soil, be sure to comply with the rules in place, as well as the upcoming ones, and be careful only to choose GDPR-complaint third party solutions, like Mailjet.
The technical side of email security
But all these legal – yet important! – considerations aside, how can you ensure that both the emails you send and the ones you receive are really safe?
One of the ways in which we can protect the information contained in emails is through encryption.
When we’re talking about encryption, there are different possibilities. Encryption of messages is probably the most efficient procedure when it comes to email security. Contrary to the popular belief, DKIM does not provide encryption of the messages. However, it adds a layer of authentication that helps you to protect your emails.
To ensure a proper encryption of your email, you can also use these tools, which support the OpenPGP standard: https://www.openpgp.org/software/. For example, you can try GPGTools, which is natively integrated with Apple Mail and allows you to send encrypted emails (end to end encryption).
Another possibility is encrypting the channel that leads your email to go from server A (your sending server) to server B (your recipient’s server). This is the role of the Transport Layer Security, or TLS. The only issue here is that TLS is still not used by all the ISPs. Meaning that if you send a TLS encrypted message and your recipient’s server doesn’t follow this protocol, the encryption won’t be effective
Security of the data storage servers
You also have to be sure that the servers where the data is stored are safe. If you store this data yourself, complying with the requirements of GDPR is a minimum. Keep your servers under surveillance 24/7, and limit the number of people that have access to them. This is mandatory for your company, and it is crucial to keep your user’s information safe and, ultimately, their trust.
If you rely on a third party to store the data, look for solutions that offer the best guarantees. Redundancies, fire risk prevention, high security levels, energy self-sufficiency… Since you’re not the one directly managing the server, you have to be sure that all of these necessary precautions are followed, to ensure the maximum level of security. If you have European customers, having your servers located in Europe can also be a good idea, since the stricter European laws will apply.
“Organizations collect, process and hold ever-increasing volumes of personal data to enable relevant and timely email communication with their customers. Data security continues to be a huge responsibility and challenge, and they need assurance that their email service provider can deliver this.”– Pierre Puchois, CTO Mailjet.
Email security and privacy at Mailjet
Mailjet makes security a priority, which is why we decided to obtain the ISO 27001 certification, the international standard for best practices of information security process, which requires companies to not only implement company-wide processes pertaining to security policies, data handling and access, but also infrastructure changes.
Our security processes begin with our product development, and the scope, lifecycle and fundamental principles of Mailjet’s security policy are to the highest standard, ensuring all information hosted on the Google Cloud and OVH platforms is secure.
But by choosing Mailjet, you’re not opting for an ESP provider that is ISO-certified, but also for one that has completed all the necessary steps to be GDPR-complaint, including the implementation of privacy frameworks, data protection by design, and the ability for individuals to easily have more control over their personal data.
“These accomplishments in data privacy and security propel Mailjet to another level of service excellence in the competitive email industry. We’re proud of these achievements and what it means not just for our clients, but for the individuals whose data we protect on behalf of our clients.” – Alexis Renard, CEO Mailjet