GDPR requires password protected email attachments when sensitive data is being emailed. The herd are using the “Protect Document” feature in Office365 to achieve this. the only restriction being that the recipient must have office365 to open that protection.
not everyone has office365 and it’s not cheap now with yearly fees per laptop, even fewer people have s/mime certificates and fewer still even know what one is.
for outgoing attachments the dutch government recommend installing a NextCloud instance on the webserver to provide your Outlook, Thunderbird etc with an “attachments being converted to a password protected download link” facility. remember you must tell the recipient what the password is preferably not-by-email.
NextCloud also allows you to create a password protected upload link to email out, where the recipient clicks to end up on your NextCloud web page, entering the password to upload documents etc to your private cloud.
another way to close the GDPR gap for incoming mail, is to post a HTTPS secure web-form on the website to send encrypted email back to base. this is implemented as the contact form on this wordpress. anyone can now send a truly private message, without any subscription or special software straight from their browser.
owners of such webforms can make their email contacts aware of the facility by placing a link to their ‘contact-us’ page in the footer of every email they send