Share this content

Password protecting documents / GDPR

Should I password protect documents sent to clients by email?

Didn't find your answer?

I'm a sole practitioner no staff, and use email to send clients accounts, tax returns and payslips which are sent as PDF attachments. Most of my clients are sole traders or single company directors and I've never had any issues sending documents in this way. My clients also send me documents and records via unprotected email. However I'm wondering if I should at least password protect them? Maybe using clients dates of birth? Any thoughts or comments would be much appreciated.

Replies (17)

Please login or register to join the discussion.

Psycho
By Wilson Philips
02nd Sep 2020 14:31

You need to get up to speed with GDPR requirements - pronto.

Thanks (0)
Replying to Wilson Philips:
avatar
By Skater
02nd Sep 2020 14:36

Thanks appreciate the comment but unless I missed something I've not yet found anything in the legislation that says documents sent by email must be password protected.

Thanks (2)
avatar
By Sarah Z
02nd Sep 2020 14:50

You are sending personal data without password protection and not encrypted. Agree you need to get up to speed on GDPR rules

https://gdpr.eu/email-encryption/#:~:text=The%20GDPR%20requires%20organi...'s%20privacy%20rights.&text=From%20names%20and%20email%20addresses,new%20requirements%20on%20data%20protection.

Thanks (0)
Replying to Sarah Z:
avatar
By Skater
02nd Sep 2020 16:45

Thanks I may have missed something but can you direct me to where the GDPR rules state all personal data MUST be sent with password protection and encrypted?

Thanks (0)
Replying to Skater:
Psycho
By Wilson Philips
02nd Sep 2020 17:11

They don't - the Regulations simply tell you what you need to do, not how.

It's up to you to decide whether or not your procedures are in compliance with those Regulations. And it's not for anyone here to tell you what you should do, so ignore my initial response.

Personally, I would not send any personal data via unencrypted/unprotected email because I would consider that to be non-compliant. You might think otherwise - that's fine by me.

Thanks (1)
avatar
By Southwestbeancounter
02nd Sep 2020 14:54

I wouldn't send anything financially sensitive via email without doing it securely, despite the fact that banks etc often do!

This is who we use: https://stayprivate.com/business.html

They were free when we signed up and might still be. The system works well with a log in pin number chosen by the client (which only they know). The only problem is when clients forget their log in and ask us to reset it which we cannot although it does give them the 'forgotten password' option to reset it. You can also log onto the remote server and see when clients have actually downloaded documents which is a bonus as some forget to say 'thank you'!!

Thanks (0)
RLI
By lionofludesch
02nd Sep 2020 15:21

You can do anything you like so long as you have the client's permission.

Do you have it ?

Have you asked for it ?

Thanks (2)
Replying to lionofludesch:
avatar
By Skater
02nd Sep 2020 16:29

Yes its incorporated in our letters of engagement which are signed by the client.

Thanks (0)
Ivor Windybottom
By Ivor Windybottom
02nd Sep 2020 15:33

Anything needing signing is much better sent via an online portal such as Adobe Sign, as the client can then securely sign the document and everyone gets a copy. Once you've done it you won't go back.

Messing around with PDF's in e-mails is soo 2019!

Thanks (1)
Replying to Ivor Windybottom:
Psycho
By Wilson Philips
02nd Sep 2020 15:47

Agreed.

Whilst GDPR does allow a degree of discretion as regards the extent of encryption, depending on nature/sensitivity of content, cost etc etc, we took the view that it was far easier to remove the subjectivity and pretty much ALL documents sent to clients and contacts are done so by bespoke cloud-based file transfer facility.

Thanks (0)
Replying to Ivor Windybottom:
avatar
By Skater
02nd Sep 2020 16:34

I actually use that already but also attach the accounts and tax return to a covering email as well. I guess that's actually just not necessary.

Thanks (0)
By Moonbeam
02nd Sep 2020 17:42

You could set up a free Dropbox account and share files with them that way.
I use Iris Open Space for these sorts of files.
The only time I attach sensitive data to emails, I password protect it.
I have a large client with lots of staff and I am paranoid about getting a request for information sent online about someone, so I don't use peoples' names in the email itself.

Thanks (0)
Jennifer Adams
By Jennifer Adams
02nd Sep 2020 18:08

I use the extremely brilliant and very cost effective Accountancymanager incl for e-signing.

Yesterday I attended a very good webinar given by the Cyber section of the Dorset and Wiltshire police in conjunction with FSB and it really was an eye opener. How easy it is to hack your emails with clients sensitive info.

Our clients accounts are their life on one piece of paper.
Dont just think about complying with GDPR .. would you like your personal finances, NIC code, address, savings info even bank details if there is a refund for example etc to go to someone you dont know?
Says it all really.

Thanks (3)
Replying to Jennifer Adams:
avatar
By Barry Adams
10th Sep 2020 16:37

We use Accountancy Manager and it is great. It still leaves the dilemma of how you send attachments to third parties like mortgage advisors?

Thanks (0)
Replying to Barry Adams:
Psycho
By Wilson Philips
10th Sep 2020 16:45

Our main problem is in sending documents to HMRC (who themselves are pretty lackadaisical - we've received a number of unencrypted files containing personal data). They will not accept links to cloud-based transfer. And only certain departments accept zip files, and even then that has to be by prior arrangement.

Thanks (0)
Replying to Wilson Philips:
.
By Cheshire
10th Sep 2020 18:45

Yet they ask us to use dropbox when it suits them.

Thanks (0)
Replying to Cheshire:
avatar
By paulwakefield1
11th Sep 2020 08:02

That must put them on dodgy GPDR ground after the recent EU rulings regarding the US Privacy Shield with Dropbox servers being largely in the US (Unless one has one of the higher cost Dropbox options and specify non US servers).

Thanks (0)
Share this content