Where GDPR applies
GDPR applies to any business storing, sharing, sending or receiving the personal data of European Union and UK citizens, wherever in the world that business is located. Fines for GDPR breaches are substantial, up to €20 million or 4% of annual global turnover, whichever is greater. Post-Brexit, GDPR continues to apply in the UK, and the UK government has confirmed that it has no intention to change the law in this regard.
Under GDPR, emails containing personal information need to stay private
GDPR rules proscribe that all communications containing any data which allows a person to be identified should be kept secure. Organizations are required to ensure that appropriate technical or organizational measures are in place to ensure confidentiality of personal data, and if a communication is accessed by a third party it is a data breach.
It is a GDPR breach to send an email containing personal information to a client with a free webmail account (such as Gmail, Hotmail, Yahoo etc.)
Free webmail accounts are free for a reason: the webmail provider gets access to the data. By sending an email containing personal information to a webmail account you are sharing that information with the webmail provider. This is a clear breach of the rules.
The problem may be the client’s doing, but the company is on the hook
The data breach only arises because the client is using a free webmail account. If the client had their own private email account (as companies do) the problem would not arise. It might seem a little unfair that the company, not the client, is the one liable for the fine, but those are the rules. And companies can avoid the problem by either not using email entirely or implementing a corporate email encryption solution.
StayPrivate is the simple solution
StayPrivate only takes a few minutes to implement across your entire organization. StayPrivate's simple, seamless email & value-added web interface and apps ensure that, as well as being convenient, your clients also get a great experience.
 GDPR Art 4, 2: ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
 GDPR Art. 4, 1: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
 GDPR Art. 5, 1(f): Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’). GDPR Art. 5, 2: The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).