GDPR-compliant services for businesses
Using GDPR-compliant services in your organization saves time and limits your exposure to data breaches and regulatory penalties.
The EU General Data Protection Regulation requires organizations that serve EU residents to keep their users’ personal data safe and preserve their data privacy rights. While most major digital service providers are GDPR compliant, strictly speaking, some are more committed to protecting user data than others.
Why use GDPR-compliant services
If anyone in your organization uses third-party services to communicate or store personal data, then those companies are considered “data processors” and must be GDPR-compliant services. GDPR compliance is not black and white; it’s more like a continuum. For example, Google and Facebook are probably GDPR compliant in a lot of ways. But in some others, they may not be.
As a business leader, it is beneficial to use GDPR-compliant services, both for regulatory and data security reasons. Several aspects of the GDPR relate to the subcontractors your company uses, detailing your responsibilities as a data controller:
- Chapter 3 of the GDPR covers the many data privacy rights that people in the EU have. Your data processors must facilitate the exercise of those rights.
- Chapter 4 covers many of the responsibilities of the data processor. These include the use of encryption where possible.
- You must also be sure to use a GDPR data processing agreement with each of your vendors.
All of the services below incorporate end-to-end encryption or other security and privacy features. Some even offer features specifically for GDPR compliance, such as Matomo’s option to anonymize traffic statistics. Using encryption and minimizing the amount of data you collect can help your business stay clear of regulators and avoid GDPR fines.
Proton Mail is the world’s largest and most well-known encrypted email company. Its millions of users even include European Union governments. The European Commission has awarded Proton Mail two Horizon 2020 grants, an endorsement of the service’s security and ease-of-use. Proton Mail offers a web app and mobile apps for Android and iPhone.
Launched in 1999, Hushmail was one of the first end-to-end encrypted email services. Similar to Proton Mail, it provides end-to-end encryption for its messages, including to non-Hushmail accounts. The company serves tens of thousands of customers in a variety of industries and offers an iPhone app.
Tutanota is an end-to-end encrypted email service based in Germany, with apps for iPhone and Android in addition to the web app. The service is notable for being fully open source and offering free plans for nonprofit organizations.
Like Hushmail, Mailfence was early to the end-to-end encrypted email game. After nearly two decades, the developers have added an encrypted calendar and file storage, but the interface appears somewhat dated.
VPN
An unsecured Internet connection could lead to a costly data breach and subsequent GDPR penalties. One way to help prevent exposing your team’s traffic to hackers and others surveilling the network is to institute a company-wide VPN policy. ProtonVPN is developed by the same team of CERN engineers and developers who created Proton Mail. It is the only VPN that offers Secure Core technology. It uses the strongest proven protocols, perfect forward secrecy, and does not log its users’ activity.
AirVPN is an open source project started in 2010 in Italy, operated by activists dedicated to online privacy. This VPN offers users several unique transparency features, such as the ability to verify bandwidth. AirVPN does not require any personal data from its users and it does not log its users’ traffic.
Analytics
If your website analytics service captures the personal data of people in the EU, then you must ensure your processing activities comply with the GDPR (even if you aren’t in the EU). As a privacy-focused analytics service, Matomo makes this extremely easy. You can configure Matomo to automatically anonymize all the user data, basically exempting you from the GDPR (at least as far as site analytics are concerned). Even if you don’t want to anonymize the data, Matomo provides a number of GDPR compliance tools to help you comply efficiently.
A somewhat less user-friendly option is Open Web Analytics. The benefit of OWA, however, is that the service is open source and free for anyone to use. In addition to allowing you to anonymize IP addresses, OWA gives you ownership of your data. By owning your analytics data, you can assure it is not being used for purposes in violation of the GDPR.
Messaging
Signal is widely considered the most secure and private messaging app. It supports text chat (including group chats) and voice and video calls (but not group calls — for this functionality, see Wire below). All communications are end-to-end encrypted between Signal users. The service supports apps for Android, iOS, and desktop.
Although WhatsApp’s privacy policies are not ideal and it is owned by Facebook, it is nonetheless the largest end-to-end encrypted messaging service in the world. The Irish data protection authority has also ruled that WhatsApp is sufficiently secure to be used in some cases as a GDPR-compliant messaging service.
Threema is truly anonymous, requiring no phone number to create an account. It is also protected by Swiss privacy laws and even offers an affordable enterprise service for team collaboration.
Olivd is an open-source, end-to-end encrypted messenger app. Similar to Threema, you don’t need to register a phone number to use the app, letting you use the service anonymously. It also offers videos conference calls.
Cloud storage
Proton Drive is the end-to-end encrypted cloud storage service developed by the team behind Proton Mail. It allows you to automatically back up sensitive files and store them encrypted on the cloud. For GDPR compliance, you can password-protect file-sharing links and set expirations dates for them.
Tresorit is a Switzerland-based cloud storage service used by over 10,000 organizations. For GDPR compliance, Tresorit allows managers to set permissions, protect data when sharing files externally, and set an expiration date for links.
Sync.com offers much of the same functionality as Tresorit, including end-to-end encryption, secure sharing features, and real-time backup. Given that the two services are so similar, the major differences are pricing and location: Sync is cheaper, but it falls under Canadian jurisdiction.
Boxcryptor allows you to benefit from end-to-end encryption while continuing to use non-private cloud storage services, such as Google Drive or Dropbox. The service, based in Germany, helps reduce your risk of a data breach and its encryption qualifies as a “technical and organizational measure” required under GDPR Article 32.
Team collaboration
Wire is the end-to-end encrypted answer to Slack. Based in Switzerland, Wire was built for businesses, offering group video conferencing, file sharing, and chat — all of which is seamlessly end-to-end encrypted inside the app. The service is GDPR compliant and can help limit your regulatory exposure by hardening your organization against hacks. Wire is also independently audited, open source, and dedicated to privacy.
Notes
If you like to jot things down at work, there’s a chance your notes could contain names, email addresses, or other personal data protected under the GDPR. Yes, even paper notes are subject to data privacy laws. Standard Notes is a simple note-taking app that allows you to sync your notes on all your devices while also being end-to-end encrypted.
Joplin is a decentralized alternative to unencrypted note-taking apps. However, unlike Standard Notes, the end-to-end encryption feature must be enabled manually (it’s best to do this the very first time you open the app). Joplin also uses markdown editing, which may be strange for some users at first.
Know some good GDPR-compliant services that aren’t on this list? Let us know in the comments. And check out our GDPR compliance checklist for help keeping your organization above board.