X
Tap here to go to the mobile version of the site.

Support Forum

We use Thunderbird to send work emails and given the introduction of GDPR on May 25, we need to know if your security levels support GDPR compliance

Posted

Hello! Just wondering with GDPR how we can continue to use Thunderbird to send work emails with client data and know they will be GDPR compliant. Any advice appreciated. Thank you Jane

Hello! Just wondering with GDPR how we can continue to use Thunderbird to send work emails with client data and know they will be GDPR compliant. Any advice appreciated. Thank you Jane

Chosen solution

It may be harder to configure and use email to send and receive information securly in GDPR compliance as you can't control your recipient's or senders compliance. Emails sent to GMail recipients come to mind.

UK's Information commissioner's office has a lot of information on compliance, this link is one of those simpler documents to check:

Thunderbird can be configured to:

  • Encrypt, decrypt and digitally sign your email communications, to avoid data breaches and leaks
  • Avoid collecting email addresses in your address books to comply with email communications opt-in / opt-out rules and regulations
  • Setup email signatures and / or headers to include disclaimers, links to privacy policies, etc.
  • Avoid sending large attachments directly - for example using the Filelink extension to store them in self-hosted storage using NextCloud (a solution recently chosen by the German government)

In my opinion your IT department should seek some legal guidance and assess what your risk is to be non-compliant, then address those concerns by looking at technical + human implications of implementing compliance. In many cases I suspect this will mean completely avoiding email and implementing new policies like "always digitally sign any emails".

As an example, if your company sends any documents including personal information, perhaps such process will need to be replaced with a secured website or offline process to completely avoid unencrypted email.

Read this answer in context 0

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

More Information

Fabián Rodríguez 70 solutions 557 answers

Chosen Solution

It may be harder to configure and use email to send and receive information securly in GDPR compliance as you can't control your recipient's or senders compliance. Emails sent to GMail recipients come to mind.

UK's Information commissioner's office has a lot of information on compliance, this link is one of those simpler documents to check:

Thunderbird can be configured to:

  • Encrypt, decrypt and digitally sign your email communications, to avoid data breaches and leaks
  • Avoid collecting email addresses in your address books to comply with email communications opt-in / opt-out rules and regulations
  • Setup email signatures and / or headers to include disclaimers, links to privacy policies, etc.
  • Avoid sending large attachments directly - for example using the Filelink extension to store them in self-hosted storage using NextCloud (a solution recently chosen by the German government)

In my opinion your IT department should seek some legal guidance and assess what your risk is to be non-compliant, then address those concerns by looking at technical + human implications of implementing compliance. In many cases I suspect this will mean completely avoiding email and implementing new policies like "always digitally sign any emails".

As an example, if your company sends any documents including personal information, perhaps such process will need to be replaced with a secured website or offline process to completely avoid unencrypted email.

It may be harder to configure and use email to send and receive information securly in GDPR compliance as you can't control your recipient's or senders compliance. Emails sent to GMail recipients come to mind. UK's Information commissioner's office has a lot of information on compliance, this link is one of those simpler documents to check: * https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf Thunderbird can be configured to: * Encrypt, decrypt and digitally sign your email communications, to avoid data breaches and leaks * Avoid collecting email addresses in your address books to comply with email communications opt-in / opt-out rules and regulations * Setup email signatures and / or headers to include disclaimers, links to privacy policies, etc. * Avoid sending large attachments directly - for example using [https://addons.mozilla.org/en-US/thunderbird/addon/nextcloud-filelink/ the Filelink extension] to store them in self-hosted storage using [https://www.nextcloud.com/ NextCloud] (a solution recently chosen by the German government) '''In my opinion''' your IT department should seek some legal guidance and assess what your risk is to be non-compliant, then address those concerns by looking at technical + human implications of implementing compliance. In many cases I suspect this will mean completely avoiding email and implementing new policies like "always digitally sign any emails". As an example, if your company sends any documents including personal information, perhaps such process will need to be replaced with a secured website or offline process to completely avoid unencrypted email.

Question owner

Thank you for taking the time to answer this so fully Fabian - your answer has flagged up some important issues - I think we will need to find a new communications solution after May 25 if we are to be GDPR compliant. Best wishes Jane

Thank you for taking the time to answer this so fully Fabian - your answer has flagged up some important issues - I think we will need to find a new communications solution after May 25 if we are to be GDPR compliant. Best wishes Jane