Safe File Sharing With Customers and Partners: What to Use and What to Avoid.

A Letterkenny solicitor's practice routinely emailed contracts, financial documents, and personal identification to clients by email attachment — unencrypted, delivered to whatever device the client happened to use, stored in the sent folder forever. It was how they had always done it. It was how most of their clients expected to receive documents.

When the Data Protection Commission contacted them following a complaint that a client's documents had been received by the wrong email address — a simple typo in the recipient field — the practice's lack of any secure file transfer process became a significant regulatory conversation.

The risk of unsecured file sharing is not theoretical. For Irish professional services firms, healthcare providers, accountancy practices, and anyone who exchanges sensitive documents with clients, the file transfer method is a material part of the data protection obligation.

What Is the Problem With Email Attachments?

Standard email is not encrypted end-to-end. It passes through multiple servers, can be intercepted in transit, and is stored in both the sender's sent folder and the recipient's inbox indefinitely. A document emailed to a client is, from a data protection standpoint, a document delivered to a potentially insecure location and stored in multiple places the business no longer controls.

The specific risks are: delivery to the wrong recipient (typo in the email address is the most common); interception in transit on insecure networks; indefinite retention in both parties' email archives; and no audit trail of who accessed the document after delivery.

For documents that contain personal data — which is most documents exchanged between professional services firms and their clients — each of these risks has a GDPR dimension.

What to Avoid

Consumer-grade file sharing services. WhatsApp, Facebook Messenger, Google Drive personal (shared via personal Google accounts), and WeTransfer free tier are widely used by Irish SMEs to share documents with clients because they are easy and the client already has them. The problems: these services store data in consumer cloud environments with no contractual data protection obligations to the business, no audit logging, no access controls, and no deletion process. Under GDPR, using a consumer-grade service to share personal data with clients means the data is being processed in an environment where the business has no data processing agreement and no ability to exercise its controller obligations.

Unencrypted USB drives. Still common for document delivery at in-person meetings. A USB drive that is not encrypted and is lost or left in a client's office contains whatever documents are on it, accessible to anyone who finds it, with no ability to remotely revoke access.

"Secure" email disclaimers. An email footer that says "this email and its contents are confidential" provides no security whatsoever. Confidentiality disclaimers do not encrypt content, do not prevent interception, and have no legal force in the context of data protection.

How does your business currently share sensitive documents with clients? If the honest answer is "by email attachment or WhatsApp," that is a gap worth addressing — both for data protection and for professional credibility with enterprise clients. Book a free 20-minute strategy call — we help Irish professional services firms establish secure client communication standards.

What to Use Instead

Microsoft SharePoint or OneDrive with specific sharing links. For businesses on Microsoft 365, sharing a document via a specific, authenticated link is significantly more secure than emailing an attachment. The document remains in the business's Microsoft 365 environment. Access can be set to expire after a defined period. The sharing link can be revoked. Access logs show who accessed the document and when. This approach requires no additional software and is available in the Microsoft 365 subscription most Irish SMEs already hold.

Dedicated secure file transfer platforms. For businesses that regularly share sensitive documents with clients — law firms, accountancy practices, financial advisers — dedicated secure portal platforms provide a client-facing interface where documents can be uploaded, accessed via authenticated login, and tracked. Platforms like ShareVault, Clinked, or industry-specific portals (many legal and accountancy software packages include this functionality) provide audit logs, access controls, and a professional client experience.

S/MIME or PGP email encryption. For businesses whose clients are technically sophisticated and willing to use email encryption, S/MIME provides end-to-end encryption for email attachments. Practical for business-to-business exchange but rarely practical for business-to-consumer.

Encrypted file delivery services. Services like Tresorit and ProtonDrive offer end-to-end encrypted file sharing with a simpler client experience than dedicated portals. For occasional use where a full portal is not warranted, these provide a significantly more secure alternative to consumer file-sharing services.

The Client Experience Trade-Off

The legitimate objection to secure file sharing is client friction. Clients who are accustomed to receiving documents by email attachment may resist being asked to log into a portal or click a secure link instead.

The practical response is to frame it as a security upgrade — "we now send all confidential documents through our secure document portal to protect your personal information" — and to choose a platform that minimises the client-side friction. A secure sharing link with a single-click access (rather than requiring portal registration) provides meaningful security improvement with almost no client friction.

What Next

1. Audit how your business currently shares documents containing personal data. Email attachments, WhatsApp, WeTransfer? List the methods and the data categories shared through each.

2. Implement SharePoint or OneDrive specific sharing links for standard document exchange. For Microsoft 365 users, this is the lowest-friction upgrade — no new tools, same content, materially better security.

3. Evaluate a dedicated portal if your volume of sensitive document exchange warrants it. For law firms, accountancy practices, and financial advisers in Donegal and the North-West, a client portal is increasingly an expected professional standard as well as a compliance improvement.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Data Protection and Customer Trust: Using GDPR as a Competitive Advantage
• Encrypting Data at Rest and in Transit in a Practical Way for an SME
• Shadow IT and SaaS Sprawl: Regaining Control of Company Data

[^1]: Data Protection Commission Ireland — Cloud Services and GDPR [^2]: NCSC Ireland — Secure Communications Guidance [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.